Go Back   SZONE.US Forums > Do it yourself (DIY) > Web Tips > Web Findings

Web Findings Here you will find information about the internet.

Newest Flash Player Exploit & Double Nuclear Exploit Kit Payload

Thread Tools Search this Thread Rate Thread
Unread 11.05.15, 04:38 PM
Zachariah Boren's Avatar
Zachariah Boren Zachariah Boren is offline
Join Date: 02.07
Location: Canoga Park, CA
Posts: 928
Blog Entries: 6
Images: 10075
Send a message via ICQ to Zachariah Boren Send a message via MSN to Zachariah Boren Send a message via twitter to Zachariah Boren
Newest Flash Player Exploit & Double Nuclear Exploit Kit Payload

11.05.15 01:43 PM

Yesterday, we blogged about a malvertising campaign affecting a popular Indonesian news site and leading to the Nuclear Exploit Kit. Today we came across another compromised website that leads to the Nuclear Exploit Kit, but this time we received two malware payloads after the newest Adobe Flash Player vulnerability was exploited. It is worth noting that no user interaction was required at any point--simply visiting the compromised website was enough to end up with malware being executed on our machine.

Raytheon | Websense® customers are protected against this threat via real-time analytics in ACE, the Websense Advanced Classification Engine.

Compromised Website

While reviewing interesting hits on security-related events today, we noticed a website named thisblewmymind[.]com. The website claims to be "viral media for the brain," which may be somewhat true since the site drops viruses on your computer. Google does identify the site as likely compromised:

According to SimilarWeb, this site is actually quite popular, recently receiving almost 2 million users per month:

Unfortunately for people browsing to this site, it is injected with obfuscated JavaScript that ends up leading to the Nuclear Exploit Kit and dropping malware.

Flash Player Exploit

The infection chain we saw resulted in Adobe Flash Player version being exploited by the Nuclear Exploit Kit to drop malware. This means that the exploit is likely to be the newest Flash exploit, leveraging CVE-2015-7645, which was recently known to have been incorporated into the Nuclear and Angler exploit kits. In fact, the Nuclear Exploit Kit seems to be packaging up two different Flash Player exploits inside one parent SWF file (VirusTotal), and dynamically choosing which one to load, depending on the current Flash Player version. If it detects version or below, an exploit leveraging CVE-2015-5122 is used. Otherwise, the new exploit is chosen:

We successfully managed to unpack the new SWF exploit, and found that it had been on VirusTotal since 31 October.

Malware Payloads

It's not typical to see more than one payload dropped by an exploit kit, but in this instance both Gamarue and CryptoWall 3.0 were dropped and executed via the Flash Player exploit.

Gamarue is modular, plug-in based malware belonging to the Andromeda botnet. Its main intent is usually for credential theft. CryptoWall 3.0 is crypto ransomware that encrypts your files and demands payment in BitCoin to have them decrypted:

Indicators of Compromise

Below are some indicators of compromise from the threat described in this blog:

hxxp://thisblewmymind[.]com - Compromised website

hxxp://cdn[.]goroda235[.]pw/ - Malicious redirect

hxxp://zadnicaberezu[.]tk/ - Nuclear Exploit Kit

2ed1953d2b182a0319041e73f6489d4151475dff - Nuclear EK SWF
36356533f44d6107d49662c78a56149e2f359fcc - Nuclear EK SWF (unpacked)

3d5682ac799cace0325ca5437445fd3c163ee4ff - Gamarue

9d3cc04dc97d0791565cf69778ee864f8af5d7f7 - CryptoWall 3.0


The Nuclear Exploit Kit operators seem to be looking to maximize their profits by dropping multiple pieces of malware onto machines, capitalizing on the new Adobe Flash Player exploit and compromising popular sites in order to infect as many users as possible. As always, it is important to ensure that your software is up to date, especially your browser and associated plug-ins like Adobe Flash Player.

Reply With Quote

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Rate This Thread
Rate This Thread:

All times are GMT -8. The time now is 05:46 AM.

Powered by vBulletin® Version 3.8.5
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright 2007 - 20017 SZONE.US All rights reserved