Concerned about recent PAN-OS and other firewall/VPN CVEs? Take advantage of Zscaler’s special offer today

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Security Research

International Council Of Women Site Leading To Nuclear & Kelihos

November 06, 2015 - 3 min read


We recently wrote about a compromised Chinese government site leading to an Angler Exploit Kit (EK) infection cycle. Nuclear EK operators are on par with their Angler EK peers in terms of the activity we are seeing in the wild. During our course of EK hunting, we came across a popular multinational organization, the International Council of Women (ICW), being compromised and leading users to a Nuclear EK landing site. The end user will get infected with the information stealing Kelihos bot if the exploit cycle is successful.

Compromised site - ICW

The following screenshot shows the malicious iframe injected on the compromised website.
Compromised ICW web page

The malicious iframe leads users to a Nuclear EK landing site as seen below.
Nuclear EK redirection

The Nuclear EK landing page is heavily obfuscated to evade security software detection as shown below.
Nuclear EK landing page

Upon successful execution of the obfuscated JavaScript, a malicious Flash file is downloaded on the victim's machine as seen below.
Flash Exploit Download

Kelihos Payload Analysis

Upon successful exploitation, a new variant of the Kelihos bot is downloaded and installed on the victim machine. Here are some of the download locations for the Kelihos bot that we have seen in this campaign:

Final Payload Download

Kelihos is a Trojan family that distributes spam email messages. The malware communicates with remote servers to exchange information that is used to execute various tasks, including sending spam email, capturing sensitive information or downloading and executing arbitrary files.

The malware executable file is a Microsoft Visual C++ 6.0 compiled binary with custom packed content stored in the executable's overlay section. Kelihos installs WinPcap, a legitimate and commonly used Windows packet capture library at the following locations:
  • %system32%\winpcap.dll
  • %system32%\Packet.dll
  • %system32%\drivers\npf.sys
Note: %system32% is c:\windows\system32

It uses hard coded User-Agents from the following list when communicating with the remote host:
Crafted User-Agent
Kelihos tries to steal the login credentials of FTP and POP3 applications by monitoring the network traffic of the victim's machine using the installed WinPcap libraries. The bot checks for the presence of the following applications on the victim machine and attempts to steal login credentials, digital currency and other information:
  • 3D-FTP
  • Bitcoin
  • BitKinex
  • BlazeFtp
  • Bullet Proof FTP
  • Classic FTP
  • Core FTP
  • CuteFTP
  • Cyberduck
  • Directory Opus
  • FileZilla
  • Frigate3
  • FTPGetter
  • LeapFTP
  • FTPRush
  • xterm
  • PuTTY
  • SecureFX
  • SmartFTP
  • Bitcoin
  • BitKinex
The malware extracts stored information such as usernames, passwords and host names from the following browsers:
  • Google\Chrome
  • Chromium
  • ChromePlus
  • Bromium
  • Nichrome
  • Comodo
  • RockMelt
  • CoolNovo
  • MapleStudio\ChromePlus
  • Yandex
Kelihos communicates to Command & Control (C&C) servers using HTTP via messages encrypted using the Blowfish symmetric-key algorithm.
Post Infection Communication  



Nuclear EK remains a worthy rival to Angler EK, with widespread campaigns, regular exploit payload updates, new obfuscation techniques and new malware payloads. The end malware payload we saw in this campaign was the information stealing Kelihos bot which has extremely low AV detection.
ThreatLabZ is actively monitoring new Nuclear EK infections in the wild and ensuring that Zscaler customers are protected.

Research by Dhanalakshmi PK and Rubin Azad


form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.