Nuclear Exploit Pack Getting More Aggresive

The Zscaler Experience
Your world, secured

Experience the transformative power of zero trust.

Zscaler: A Leader in the 2023 Gartner® Magic Quadrant™ for Security Service Edge (SSE)

Get the full report

The Zscaler Difference

Experience the World’s Largest Security Cloud

Customer Success Stories

Analyst Recognition

Machine Learning and AI at Zscaler

Reduce Your Carbon Footprint

Zero Trust Fundamentals

What is Zero Trust?

What is Security Service Edge (SSE)?

What is Secure Access Service Edge (SASE)?

What is Zero Trust Network Access (ZTNA)?

What is Secure Web Gateway (SWG)?

What is Cloud Access Security Broker (CASB)?

What is a Cloud Native Application Protection Platform (CNAPP)?

Zero Trust Resources
Products & Solutions
Secure Your Users

Provide users with seamless, secure, reliable access to applications and data.

Secure Your Workloads

Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.

Secure Your IoT and OT

Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.

Products

Transform your organization with 100% cloud native services

Secure Internet Access (ZIA)

Secure Private Access (ZPA)

Data Protection (CASB/DLP)

Digital Experience (ZDX)

Posture Control

Partner Integrations

Industry and Market Solutions

Solution Areas

Propel your business with zero trust solutions that secure and connect your resources

Stop Cyberattacks

Protect Data

Zero Trust App Access

VPN Alternative

Accelerate M&A Integration

Optimize Digital Experiences

Zero Trust SD-WAN

Build and Run Secure Cloud Apps

Zero Trust Cloud Connectivity

Zero Trust for IoT/OT

Zero Trust for Private 5G

Find a product or solution

Find a product or solution
Platform
Zero Trust Exchange Platform

Learn how Zscaler delivers zero trust with a cloud native platform built on the world’s largest security cloud.

Transform with Zero Trust Architecture

Propel your transformation journey

Secure Digital Transformation

Application Transformation

Network Transformation

Security Transformation

Secure Your Business Goals

Achieve your business and IT initiatives

Ensure Secure Business Continuity

Accelerate M&A and Divestitures

Recession-Proof Your Enterprise

Secure Your Hybrid Workforce

Download Zscaler Client Connector
Resources
Learn, Connect, and Get Support.

Explore tools and resources to accelerate your transformation and secure your world.

Resource Center

Stay up to date on best practices

Resource Library

Blog

Customer Success Stories

Webinars & Demos

Zpedia

Events & Trainings

Find programs, certifications, and events

Upcoming Events

Zenith Live

Zscaler Academy

Interactive Zscaler Whiteboard Workshop

Security Research & Services

Get research and insights at your fingertips

ThreatLabz Analytics

Tools

Tools designed for you

Security and Risk Assessment

Security Advisory Updates

Disclose a Vulnerability

Executive Insights App

Ransomware Protection ROI Calculator

Community & Support

Connect and find support

Customer Success Center

Zenith Community

CXO Revolutionaries

Zscaler Help Portal

Download Zscaler Client Connector

Industry & Market Solutions

See solutions for your industry and country

Public Sector

Healthcare

Financial Services

Education

See all
Company

About Zscaler

Discover how it began and where it’s going

Partners

Meet our partners and explore system integrators and technology alliances

News & Announcements

Stay up to date with the latest news

Leadership Team

Meet our management team

Partner Integrations

Explore best-in-class partner integrations to help you accelerate digital transformation

Investor Relations

See news, stock information, and quarterly reports

Environmental, Social & Governance

Learn about our ESG approach

Careers

Join our mission

Press Center

Find everything you need to cover Zscaler

Compliance

Understand our adherence to rigorous standards

Zenith Ventures

Understand our adherence to rigorous standards
Request a demo

Churning through our logs, we recently observed a significant rise in the number of transactions involving the Nuclear Exploit Pack, which has been in the news for quite some time now. In the past week, we stumbled upon thousands of transactions involving the Nuclear Exploit Pack infestation.

We could see the whole exploit chain in our logs and the exploit kit was hosted mainly originating from the following IPs:

198[.]50[.]235[.]204
198[.]50[.]235[.]203
198[.]50[.]235[.]174
198[.]50[.]235[.]152
198[.]50[.]235[.]36

Whois information on this net block range shows that these IPs are hosted in Russia (no surprises here!).

A few transactions were also found at the IP: 158[.]255[.]6[.]117 (this may be related to a campaign posted by @malwaremustdie).

Some sample referral URLs, which lead to the exploit kit are shown below:

fouce[.]paroyourjob[.]info
bluesevs[.]likedating[.]info
datzone[.]onlinesdating[.]info
www[.]jornaiserevistas[.]com
www[.]noticiasaominuto[.]com
www[.]johnjones1[.]com
goodzdatin[.]work4wheelsa[.]info
www[.]tyleroralsurgery[.]com
kempmeek[.]com

Upon examining one of these infected sites, a typical Nuclear Exploit pack pattern was observed. A series of 304/302 redirects that finally leads to the exploit kit landing page as shown below.

The landing page contained an obfuscated JavaScript payload that was deobfuscated to get the original JavaScript plugin detection and applet/pdf injection code. It was similar to what we typically see from the. Blackhole Exploit Kit.

The applet is used to make a call to the malicious jar file which uses CVE-2013-2460, as shown here. The following screenshot, shows the JAR file exploiting the vulnerability. The JAR file then downloads and invokes the malicious executable. a recent VT report shows a poor detection ratio for the JAR file.

We managed to collect 19 malware samples that were dropped by this exploit kit. Most of them were Spyeye/Zbot drops, Ransomware, W32.Caphaw, Injection Trojan, Proxy Trojan, Keylogger, Spam Bot etc. The following reports detail the malware found:

https://www.virustotal.com/en/file/36eec2b80586211f14bd7f9af3dc68afec629fc9f3071933e959570ac58d87be/analysis/1382745996/
https://www.virustotal.com/en/file/beb0f5929f886a505b31a98f6ae9b4b02bb303088f1c8ecd74ef6516189e4248/analysis/1382746009/
https://www.virustotal.com/en/file/45b3e40cb392489251dec6b24f575c4281570f427b83a6d4d983c86ace35fc7e/analysis/1382746036/
https://www.virustotal.com/en/file/4b708d1ee0d0bac61825ed9ede005978a5610d60fce27b69c2b862fd65e2c07e/analysis/1382746051/
https://www.virustotal.com/en/file/f2219983385daa9d1fadb144088f84d154775dca3002f82e855897f7e8b40d04/analysis/1382746068/
https://www.virustotal.com/en/file/2bb3bc2ebf299d853ddff54c142849882dfa6fc9fa32620cf2ddd01507606e8e/analysis/1382746101/
https://www.virustotal.com/en/file/0d7feaa9595c23828b1d1e7ca898da9a694b151b0a8c87350e001e8f8b7e3fb8/analysis/1382746122/
https://www.virustotal.com/en/file/42d8cb1b05b6d9ed5adabfb2f3184738378b4bbf72b39139bab37de764e99b4a/analysis/1382746135/
https://www.virustotal.com/en/file/d671fd25f75323d74621c6c9e520dd84f64b2ed2588a58838e65283e9067b8c9/analysis/1382746303/
https://www.virustotal.com/en/file/fecdc7eb44508a80e548955945737e2739ec2a6f9f8c4c05d35869a73f82ec2c/analysis/1382746155/
https://www.virustotal.com/en/file/288fae8c7a7f34e36e1ace80fd73392cffc83e53dfdb1961252296692499463e/analysis/1382746167/
https://www.virustotal.com/en/file/b94e93b4b25b1ff7d0dbc8aa3f6c5af80ee0afc4005eddb52d364a59ab8e308a/analysis/1382746305/
https://www.virustotal.com/en/file/8b543c1cce54aec0b6c4b85102bb2a5ffa7f10e69dab19a8812d7b069e84ee5d/analysis/1382746188/
https://www.virustotal.com/en/file/5f84ab5ac0548d2257084e6542d7fd5678bf3f8175f0b8c6e9098a3187f7e4bb/analysis/1382746200/
https://www.virustotal.com/en/file/cbb32fba48f0029b1e6191130b0e68fe44c8364303badd8fc485a1c4d7bf4fc7/analysis/1382746211/
https://www.virustotal.com/en/file/233d56bd1d40608c6302760b4920a4b9daf60df7e32f23fd9f5210603dcb313a/analysis/
https://www.virustotal.com/en/file/2d7df365e65a9415611411aa44c8ed6d7439bfa3c2dfbf21afaff3fd520a79e3/analysis/1382746237/
https://www.virustotal.com/en/file/02e440ccb37a82b3fea48c03849af40ed9110069b555b50f3fa79945dd7caa08/analysis/1382746252/
https://www.virustotal.com/en/file/93167da47833a257ac2d231e10d0b8f8d1f33c4727521fb5bcf6a189522f3e0f/analysis/1382746259/

Java, software that runs on over one billion devices and is even used to authorize/authenticate tokens in banking applications, continues to be exploited. The Nuclear Pack follows this same pattern, as the authors have taken a recent Java CVE and crafted it into the exploit kit. It is always advisable to disable java on your computer to prevent falling victim to an attack that leads to credential leakage, information theft and becoming a bot. Stay safe and happy Browsing!

Zscaler named a Leader in the 2023 Gartner® Magic Quadrant™ for Security Service Edge

Your world, secured

Zscaler: A Leader in the 2023 Gartner® Magic Quadrant™ for Security Service Edge (SSE)

The Zscaler Difference

Zero Trust Fundamentals

Secure Your Users

Secure Your Workloads

Secure Your IoT and OT

Products

Solution Areas

Zero Trust Exchange Platform

Transform with Zero Trust Architecture

Secure Your Business Goals

Learn, Connect, and Get Support.

Resource Center

Events & Trainings

Security Research & Services

Tools

Community & Support

Industry & Market Solutions

About Zscaler

Partners

News & Announcements

Leadership Team

Partner Integrations

Investor Relations

Environmental, Social & Governance

Careers

Press Center

Compliance

Zenith Ventures

Security Insights

Nuclear Exploit Pack Getting More Aggresive

Author

ThreatLabz

Recommended for You

Threading the needle on innovation and security with ChatGPT

Make generative AI tools like ChatGPT safe and secure with Zscaler

3CX Supply Chain Attack Campaign

Coverage Advisory for 3CX Supply Chain Attack

Get the latest Zscaler blog updates in your inbox