Gong Da exploit kit is involving, after integration of the CVE-2012-5076 Java vulnerability (Java Applet JAX-WS) one week ago, the EK is now preparing integration for Adobe Flash vulnerability CVE-2012-1535 fixed in APSB12-18 patch.

This new version was discovered on “hxxp://coa.ains.co.kr/css/css.html” and on “hxxp://www.dcpccdrw.com/asdf/index.html” web sites who is actually still online.

coa.ains.co.kr” seem to be a legit web site and is hosted on 221.143.50.201, AS9318, in South Korea. “dcpccdrw.com” is hosted on 174.37.172.69, AS36351, in US. “dcpccdrw.com” domain name was created the 2012-11-23, through name.com registrar, for “tao wen ([email protected])“.

index.html” and “css.html” file containing JavaScript code are obfuscated by “JSXX VIP JS Obfuscator“.

After de-obfuscation of the HTML files you can see that Gong Da Pack has involve to the following diagram.