TeamSpeak Forum hacked and redirects users to DotCacheF Exploit Kit

The official forum of TeamSpeak, a company that provides voice-over-Internet Protocol (VoIP) software, infected with a malicious script. 

Malwarebytes' honeypot found that TeamSpeak forum "forum[dot]teamspeak.com" is compromised and redirects to the DotCacheF exploit page.

Security researchers at Malwarebytes described that the infection is similar to the "malware infection on automobile forum" found by Kahu Security.


The malicious script injected in the forum takes several redirects to reach the Exploit kit landing page which is hosted on another infected website(atvisti[dot]ro).

The exploit kit page attempts to exploit the vulnerable plugin in the victim's browser.  If successful, it drops the ZeroAccess Trojan in the victim's machine.

RedKit: a new private exploit kit spotted in the wild

Trustwave security researchers have spotted a new private exploit kit in the wild. The new kit has no official name, so the researchers dubbed it'Redkit' due to the red bordering used in the application's panel.

The developers promote the kit with a standard banner, the buyers are required to share their Jabber username by filling the online form hosted on a compromised site of some unsuspecting Christian church.

"Logging to the admin panel presents you with options which are typically used by other exploit kits.The panel allows you to check the statistics for incoming traffic, upload a payload executable and even scan this payload with no less than 37(!) different AV’s." Trustwave researchers said.

As each malicious URL gets blocked by most security firms after 24 to 48 hours, the Redkit's author have provide a new API which will produce a fresh URL every hour, so that customer of this exploit kit can now set up an automated process for updating the traffic sources every hour or so to point to the new URL.

The kit exploits two of the most popular vulnerabilities but the authors probably will add more exploits soon in order to catch up with the “industry leaders” such as BlackHole and Phoenix exploit kits.

The first exploit is a fairly obfuscated PDF file that exploits the LibTIFF vulnerability (CVE-2010-0188) and the second one is Java AtomicReferenceArray vulnerability (CVE-2012-0507).