Thanks to EKWatcher and his decoding skills saving me a lot of time.
As we can see more and more of those "XMLDOM" checks in exploit kits i decided to write here some of the checks spotted. This is a fast moving area and it will be hard to keep up to date with this, but this may give an idea of how it's being used.
Angler EK:
 |
| http://pastebin.com/EAKZk43e 2014-10-01 |
http://pastebin.com/pzx2xPDJ 2014-08-23
Astrum EK :
http://pastebin.com/PfAjuvPR 2014-09-06
Nuclear Pack :
Gathering samples by browsing requires hardening too. Nuclear Pack tries to detect VMWare now. pic.twitter.com/W9Z1bgUJyv
— kafeine (@kafeine) September 28, 2014Read more:
Attackers abusing Internet Explorer to enumerate software and detect security products - Jaime Blasco - AlienVault - 2014-07-25