Zscaler Data Protection Recognized as a 2023 Product of the Year by CRN

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Security Research

Nuclear Exploit Kit - Complete Infection Cycle

September 18, 2014 - 4 min read
Zscaler ThreatLabZ has been seeing a steady increase in the Nuclear Exploit Kit (EK) traffic over the past few weeks. The detection of malicious activity performed by this EK remains low, due to usage of dynamic content and heavy obfuscation. In this blog, we will walk you through a complete Nuclear EK infection cycle with a live example. We will also share details of the identified payload, which had very low Anti-Virus (AV) detection rates.
The infection cycle begins with an unsuspecting user visiting a legitimate site that was compromised by the attackers. The compromised site in the example covered in this blog is www[.]cornwallmusiceducationhub[.]org that further redirects the victim to the Exploit Kit hosting server []. Nuclear EK is notorious for exploiting most popular browser plugins.

The following screenshot shows the malicious iframe injected on the compromised website.
Malicious iframe in compromised domain
The malicious iframe leads the users to a loading site, which in this case performs a second level redirection as shown below, eventually leading the victim to the Nuclear EK's landing page.
Redirecting to the Nuclear EK landing page

Redirection Chain observed in our example:
Compromised site : www[.]cornwallmusiceducationhub[.]org/tag/heartlands-pool/
Second level redirection site: fluersutel[.]tecnopes[.]com[.]ar/miksopulp16[.]html
EK Landing site: actudismatik[.]e-xms[.]com[.]ar/2150b060shv/1/9ffbf35e4190fbba62f70c8477fa3964[.]html
Redirection Chain

The Exploit kit landing page is heavily obfuscated to evade detection by AV and Intrusion Prevention Systems as seen below:
Landing Page

Now we will step through the complete dobfuscation of the landing page that was captured in above example. We leveraged the open source JavaScript beautifier to structure the landing page JavaScript code. Upon structuring the code, we determined that there were 51 unused variable declarations to confuse the researchers.

Going further, we observed that the following three functions VV8Y6W,wL3, and Fp4Ovo were responsible for the dynamic de-obfuscation of the EK landing page code. We have noted the action performed by each function in the following screenshot.

The following routine leverages the aforementioned functions to generate a key PluginDetect (V 0.8.8) script which we will discuss later. Image

Upon successful execution of the above code, the variable KKa will store the PluginDetect script. The following code will execute the script.Image


This script is derived from the well-known JavaScript library PluginDetect. This library is used by the exploit kit authors to do a detailed reconnaissance of victim's browser plugins. We will walk you through various actions performed by this script before executing the exploit payload.

First the detectPlatform function will check for the operating system running on the victim machine:

Subsequently, the script will also check the version of well-known browser plugins, which includes Java, Adobe Reader, Adobe Flash, and Silverlight. 

It then leverages the XML DOM information leakage vulnerability to enumerate through the system driver files residing in the C:\Windows\System32\drivers\ directory. If it finds any AV driver files, the script will terminate the infection cycle.Image

Next, the script will check for the vulnerable versions of the loaded plugins and accordingly run the identified application exploit function.

The following screenshot shows the application specific exploit functions:Image

Below are the exploit payloads that were getting served if the related application plugin version was found to be vulnerable by the Nuclear EK instance that we analyzed. AV detection for the payloads delivered by this variant remained poor at the time of blog publication.

Silverlight Exploit:
MD5: 94ef35e1ecf0a486ab790957ad794a85
Size: 9139
VT: 2/55
Flash Exploit:
MD5: da5d57c700ebec211a6a57166700e796
Size: 5832
VT: 1/55
PDF Exploit:
MD5: 3676bf357f0678a609df6831b7a870a0
Size: 9769
VT: 1/54

If the exploit attempt is successful, then the EK code will silently download and install the following malware payload on the victim machine.


form submtited
Thank you for reading

Was this post useful?

Explore more Zscaler blogs

A cyber criminal shopping for malware
Agniane Stealer: Dark Web’s Crypto Threat
Read Post
Business people walking through a city
The Impact of the SEC’s New Cybersecurity Policies
Read Post
Digital cloud illuminated in blue
Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)
Read Post
The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region
Read Post
01 / 02
dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.