Nuclear Exploit Kit malware drives users to Kelihos Trojan family

International Council for Women homepage compromised, legitimate Windows libraries used to construct attack

Trojan Horse
Trojan Horse

Internet security firm Zscaler says it has discovered a website compromise attack on the Internet pages belonging to the International Council for Women. This compromise led users to a Nuclear Exploit Kit (EK) landing site, a form of malware on a par with its Angler Exploit Kit (EK) infection cycle cousin.

In this particular case, the end user could get infected through the ‘information stealing' Kelihos bot if the full exploit cycle executes successfully. A malicious iframe leads users to a Nuclear EK landing page that was heavily obfuscated to evade security software detection.

Upon successful execution of the obfuscated JavaScript, a malicious Flash file is downloaded on the victim's machine. Upon successful exploitation, a new variant of the Kelihos bot is downloaded and installed on the victim's machine.

How the Kelihos Trojan works

Kelihos is a Trojan family that distributes spam email messages. The malware communicates with remote servers to exchange information that is used to execute various tasks, including sending spam email, capturing sensitive information or downloading and executing arbitrary files.

According to Zscaler's Dhanalakshmi PK and Rubin Azad, “Nuclear EK remains a worthy rival to Angler EK, with widespread campaigns, regular exploit payload updates, new obfuscation techniques and new malware payloads. The end malware payload we saw in this campaign was the information stealing Kelihos bot which has extremely low AV detection.”

The malware executable file is a Microsoft Visual C++ 6.0 compiled binary with custom packed content stored in the executable's overlay section. Kelihos installs WinPcap, a legitimate and commonly used Windows packet capture library.

Gavin Reid, VP of threat intelligence at Lancope spoke to SCMagazineUK.com on this story to say that, “The Exploit Kits in question here are similar with new exploits being added as discovered to both. Angler has had the lead in better obfuscation through things like domain shadowing and unique referrers.”

Understanding obfuscation

As with other exploit kits, Nuclear Pack uses various obfuscation techniques to avoid detection by IDS and anti-virus solutions. According to Abel Toro of Raytheon Websense, in order to detect and protect against this threat, it is crucial to understand and identify the obfuscation techniques that are unique to this exploit kit.

“Nuclear Pack, one of the most widely used exploit kits, has constantly evolved from 2009 – when it appeared for the first time – until now. This kit is capable of deploying a wide range of attacks, from Flash, Silverlight, PDF, and Internet Explorer exploits to the possibility of launching advanced pieces of malware and ransomware. Due to their polymorphic nature, exploit kits are main vehicles for zero-day attacks and software vulnerabilities and have become the main tools used by online criminals to launch data exfiltration operations,” said Toro.

Toro provides the following reading on this exact topic for those that wish to learn more Happy Nucl(y)ear - Evolution of an Exploit Kit.

Speaking directly to SCMagazineUK.com, Todd Weller VP corporate development at Hexis Cyber Solutions has said that the compromise of the International Council of Women's (ICW) website illustrates the challenges organisations face protecting themselves from today's widespread cyber-threats.

“The ICW website is a legitimate site and visits to it by end users wouldn't yield reasons to be suspicious,” he said.

“Detection is critical, but it's equally important to be able to respond to threats before they do the real damage. Organisations need to have comprehensive visibility into both endpoint activity (suspicious files, processes, network communications) and network activity (communications with bad IPs, domains and DNS, in order to protect themselves.  Only then are they able to detect, verify and respond to threats at machine-speeds before damage is incurred,” added Weller.