Wednesday, October 30, 2013

NHIC Spam Harvesting Victim's Information

Scammers and spammers are known to capitalize on user's news hungry interests.  In the past year, they've tricked users into clicking on malicious links in e-mails, blog comments and social media posts on anything from the Royal Baby to the U.S Government shutdown.  The end result of these attacks varies from scam to scam, but the tactic remains the same.  Provide just enough intrigue and official looking graphics or text to peak the user's curiosity and take advantage of less savvy users.  This time they seem focused on exploiting victim's interest in health care plans offered by the National health Information Center (NHIC), a US government run health information referral service.

Stock image which leads to a false enrollment form

This e-mail has been through circulation for awhile now and shows no signs of letting up.  This usually marks the success of a spam campaign.  Victims will be disappointed to find that they are not actually signing up for preventive health treatment, but are actually signing themselves up to be victims of Personally Identifiable Information (PII) theft. Clicking through to this link will actually execute an obfuscated JavaScript snippet which will lead the user to a contact information request form.

Less savvy users may think this is part of the process to apply to the NHIC, but this is actually an elaborate fraud to convince users to willingly provide their PII so that it can be sold or used in further attacks later on.

User's should take extra care when it comes to handling their e-mail attachments and links.  No matter how official a site looks, there should always be a degree of caution when handing out your PII over the internet.

Tuesday, October 29, 2013

Nuclear Exploit Pack Getting More Aggresive

Churning through our logs, we recently observed a significant rise in the number of transactions involving the Nuclear Exploit Pack, which has been in the news for quite some time now. In the past week, we stumbled upon thousands of transactions involving the Nuclear Exploit Pack infestation.

We could see the whole exploit chain in our logs and the exploit kit was hosted mainly originating from the following IPs:


Whois information on this net block range shows that these IPs are hosted in Russia (no surprises here!).

A few transactions were also found at the IP: 158[.]255[.]6[.]117 (this may be related to a campaign posted by @malwaremustdie).

Some sample referral URLs, which lead to the exploit kit are shown below:


Upon examining one of these infected sites, a typical Nuclear Exploit pack pattern was observed. A series of 304/302 redirects that finally leads to the exploit kit landing page as shown below. 

The landing page contained an obfuscated JavaScript payload that was deobfuscated to get the original JavaScript plugin detection and applet/pdf injection code. It was similar to what we typically see from the. Blackhole Exploit Kit.

The applet is used to make a call to the malicious jar file which uses CVE-2013-2460, as shown here. The following screenshot, shows the JAR file exploiting the vulnerability. The JAR file then downloads and invokes the malicious executable. a recent VT report shows a poor detection ratio for the JAR file. 

We managed to collect 19 malware samples that were dropped by this exploit kit. Most of them were Spyeye/Zbot drops, Ransomware, W32.Caphaw, Injection Trojan, Proxy Trojan, Keylogger, Spam Bot etc. The following reports detail the malware found:

Java, software that runs on over one billion devices and is even used to authorize/authenticate tokens in banking applications, continues to be exploited. The Nuclear Pack follows this same pattern, as the authors have taken a recent Java CVE and crafted it into the exploit kit. It is always advisable to disable java on your computer to prevent falling victim to an attack that leads to credential leakage, information theft and becoming a bot. Stay safe and happy Browsing!