Introduction
We recently wrote about a compromised Chinese government site leading to an Angler Exploit Kit (EK) infection cycle. Nuclear EK operators are on par with their Angler EK peers in terms of the activity we are seeing in the wild. During our course of EK hunting, we came across a popular multinational organization, the International Council of Women (ICW), being compromised and leading users to a Nuclear EK landing site. The end user will get infected with the information stealing Kelihos bot if the exploit cycle is successful.Compromised site - ICW
The following screenshot shows the malicious iframe injected on the compromised website.Compromised ICW web page |
The malicious iframe leads users to a Nuclear EK landing site as seen below.
Nuclear EK redirection |
The Nuclear EK landing page is heavily obfuscated to evade security software detection as shown below.
Nuclear EK landing page |
Upon successful execution of the obfuscated JavaScript, a malicious Flash file is downloaded on the victim's machine as seen below.
Flash Exploit Download |
Kelihos Payload Analysis
Upon successful exploitation, a new variant of the Kelihos bot is downloaded and installed on the victim machine. Here are some of the download locations for the Kelihos bot that we have seen in this campaign:hxxp://46.63.32[.]75/harsh02.exe
hxxp://95.65.55[.]6/harsh02.exe
hxxp://31.202.178[.]239/harsh02.exe
hxxp://37.233.40[.]97/harsh02.exe
hxxp://178.136.213[.]107/harsh02.exe
Final Payload Download |
Kelihos is a Trojan family that distributes spam email messages. The malware communicates with remote servers to exchange information that is used to execute various tasks, including sending spam email, capturing sensitive information or downloading and executing arbitrary files.
The malware executable file is a Microsoft Visual C++ 6.0 compiled binary with custom packed content stored in the executable's overlay section. Kelihos installs WinPcap, a legitimate and commonly used Windows packet capture library at the following locations:
- %system32%\winpcap.dll
- %system32%\Packet.dll
- %system32%\drivers\npf.sys
It uses hard coded User-Agents from the following list when communicating with the remote host:
Crafted User-Agent |
- 3D-FTP
- Bitcoin
- BitKinex
- BlazeFtp
- Bullet Proof FTP
- Classic FTP
- Core FTP
- CuteFTP
- Cyberduck
- Directory Opus
- FFFTP
- FileZilla
- Frigate3
- FTPGetter
- LeapFTP
- FTPRush
- xterm
- PuTTY
- SecureFX
- SmartFTP
- Bitcoin
- BitKinex
The malware extracts stored information such as usernames, passwords and host names from the following browsers:
- Google\Chrome
- Chromium
- ChromePlus
- Bromium
- Nichrome
- Comodo
- RockMelt
- CoolNovo
- MapleStudio\ChromePlus
- Yandex
Post Infection Communication |
Conclusion
Nuclear EK remains a worthy rival to Angler EK, with widespread campaigns, regular exploit payload updates, new obfuscation techniques and new malware payloads. The end malware payload we saw in this campaign was the information stealing Kelihos bot which has extremely low AV detection.
ThreatLabZ is actively monitoring new Nuclear EK infections in the wild and ensuring that Zscaler customers are protected.
Research by Dhanalakshmi PK and Rubin Azad
Research by Dhanalakshmi PK and Rubin Azad