We recently wrote about a compromised Chinese government site leading to an Angler Exploit Kit (EK) infection cycle. Nuclear EK operators are on par with their Angler EK peers in terms of the activity we are seeing in the wild. During our course of EK hunting, we came across a popular multinational organization, the International Council of Women (ICW), being compromised and leading users to a Nuclear EK landing site. The end user will get infected with the information stealing Kelihos bot if the exploit cycle is successful.
The following screenshot shows the malicious iframe injected on the compromised website.
|Compromised ICW web page|
The malicious iframe leads users to a Nuclear EK landing site as seen below.
|Nuclear EK redirection|
The Nuclear EK landing page is heavily obfuscated to evade security software detection as shown below.
|Nuclear EK landing page|
|Flash Exploit Download|
Upon successful exploitation, a new variant of the Kelihos bot is downloaded and installed on the victim machine. Here are some of the download locations for the Kelihos bot that we have seen in this campaign: hxxp://46.63.32[.]75/harsh02.exe hxxp://95.65.55[.]6/harsh02.exe hxxp://31.202.178[.]239/harsh02.exe hxxp://37.233.40[.]97/harsh02.exe hxxp://178.136.213[.]107/harsh02.exe
|Final Payload Download|
Kelihos is a Trojan family that distributes spam email messages. The malware communicates with remote servers to exchange information that is used to execute various tasks, including sending spam email, capturing sensitive information or downloading and executing arbitrary files. The malware executable file is a Microsoft Visual C++ 6.0 compiled binary with custom packed content stored in the executable's overlay section. Kelihos installs WinPcap, a legitimate and commonly used Windows packet capture library at the following locations:
Note: %system32% is c:\windows\system32 It uses hard coded User-Agents from the following list when communicating with the remote host:
Kelihos tries to steal the login credentials of FTP and POP3 applications by monitoring the network traffic of the victim's machine using the installed WinPcap libraries. The bot checks for the presence of the following applications on the victim machine and attempts to steal login credentials, digital currency and other information:
Kelihos communicates to Command & Control (C&C) servers using HTTP via messages encrypted using the Blowfish symmetric-key algorithm.
|Post Infection Communication|