We recently wrote about a compromised Chinese government
site leading to an Angler Exploit Kit (EK) infection cycle. Nuclear EK operators are on par with their Angler EK peers in terms of the activity we are seeing in the wild. During our course of EK hunting, we came across a popular multinational organization, the International Council of Women (ICW), being compromised and leading users to a Nuclear EK landing site. The end user will get infected with the information stealing Kelihos bot if the exploit cycle is successful.
Compromised site - ICW
The following screenshot shows the malicious iframe injected on the compromised website.
|Compromised ICW web page
The malicious iframe leads users to a Nuclear EK landing site as seen below.
|Nuclear EK redirection
The Nuclear EK landing page is heavily obfuscated to evade security software detection as shown below.
|Nuclear EK landing page
|Flash Exploit Download
Kelihos Payload Analysis
Upon successful exploitation, a new variant of the Kelihos bot is downloaded and installed on the victim machine. Here are some of the download locations for the Kelihos bot that we have seen in this campaign:
|Final Payload Download
Kelihos is a Trojan family that distributes spam email messages. The malware communicates with remote servers to exchange information that is used to execute various tasks, including sending spam email, capturing sensitive information or downloading and executing arbitrary files.
The malware executable file is a Microsoft Visual C++ 6.0 compiled binary with custom packed content stored in the executable's overlay section. Kelihos installs WinPcap, a legitimate and commonly used Windows packet capture library at the following locations:
Note: %system32% is c:\windows\system32
It uses hard coded User-Agents from the following list when communicating with the remote host:
Kelihos tries to steal the login credentials of FTP and POP3 applications by monitoring the network traffic of the victim's machine using the installed WinPcap libraries. The bot checks for the presence of the following applications on the victim machine and attempts to steal login credentials, digital currency and other information:
- Bullet Proof FTP
- Classic FTP
- Core FTP
- Directory Opus
The malware extracts stored information such as usernames, passwords and host names from the following browsers:
Kelihos communicates to Command & Control (C&C) servers using HTTP via messages encrypted using the Blowfish symmetric-key algorithm.
|Post Infection Communication
Nuclear EK remains a worthy rival to Angler EK, with widespread campaigns, regular exploit payload updates, new obfuscation techniques and new malware payloads. The end malware payload we saw in this campaign was the information stealing Kelihos bot which has extremely low AV detection.
ThreatLabZ is actively monitoring new Nuclear EK infections in the wild and ensuring that Zscaler customers are protected.
Research by Dhanalakshmi PK and Rubin Azad