See: http://www.projecthoneypot.org/ip_31.31.196.16
and → http://urlquery.net/report.php?id=4370127
Gateway malware service as part of RedKit EK campaign, been with us since 2012,
-
Domain rotation – based on time
-
HTML pages rotation, switching based on time too.
-
Domains\web-server involved in apreading malware – victims of previous hacks, that turned into malware spreading hosts
-
MDS clean-up hacked host (at least from added HTML pages and malicious files) at the end of usage.
-
Malware page provide 3(!) different payload, 2 for Java and another for PDF.
Major flaw in this system is non-changed names for malicious files, but since malware domains are hacked, I assume only limited functional available to MDS owners, and that’s require to use static file names. info thanks to Day by Day’s author D.L.
polonus