Live Global Events: Secure, Simplify, and Transform Your Business.

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Security Research

Nuclear Exploit Pack Getting More Aggresive

October 29, 2013 - 4 min read
Churning through our logs, we recently observed a significant rise in the number of transactions involving the Nuclear Exploit Pack, which has been in the news for quite some time now. In the past week, we stumbled upon thousands of transactions involving the Nuclear Exploit Pack infestation.

We could see the whole exploit chain in our logs and the exploit kit was hosted mainly originating from the following IPs:


Whois information on this net block range shows that these IPs are hosted in Russia (no surprises here!).

A few transactions were also found at the IP: 158[.]255[.]6[.]117 (this may be related to a campaign posted by @malwaremustdie).

Some sample referral URLs, which lead to the exploit kit are shown below:

Upon examining one of these infected sites, a typical Nuclear Exploit pack pattern was observed. A series of 304/302 redirects that finally leads to the exploit kit landing page as shown below. 

The landing page contained an obfuscated JavaScript payload that was deobfuscated to get the original JavaScript plugin detection and applet/pdf injection code. It was similar to what we typically see from the. Blackhole Exploit Kit.

The applet is used to make a call to the malicious jar file which uses CVE-2013-2460, as shown here. The following screenshot, shows the JAR file exploiting the vulnerability. The JAR file then downloads and invokes the malicious executable. a recent VT report shows a poor detection ratio for the JAR file. 
We managed to collect 19 malware samples that were dropped by this exploit kit. Most of them were Spyeye/Zbot drops, Ransomware, W32.Caphaw, Injection Trojan, Proxy Trojan, Keylogger, Spam Bot etc. The following reports detail the malware found:

Java, software that runs on over one billion devices and is even used to authorize/authenticate tokens in banking applications, continues to be exploited. The Nuclear Pack follows this same pattern, as the authors have taken a recent Java CVE and crafted it into the exploit kit. It is always advisable to disable java on your computer to prevent falling victim to an attack that leads to credential leakage, information theft and becoming a bot. Stay safe and happy Browsing!
form submtited
Thank you for reading

Was this post useful?

Explore more Zscaler blogs

A cyber criminal shopping for malware
Agniane Stealer: Dark Web’s Crypto Threat
Read Post
Business people walking through a city
The Impact of the SEC’s New Cybersecurity Policies
Read Post
Digital cloud illuminated in blue
Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)
Read Post
The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region
Read Post
01 / 02
dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.