Nuclear Pack exploit kit introduces anti-honeyclient crawling feature

Nuclear Pack exploit kit introduces anti-honeyclient crawling feature

Summary: While profiling yet another malware and exploits serving malicious campaign, security researchers from ESET have stumbled upon a new feature introduced in the Nuclear Pack web malware exploitation kit.

SHARE:

For years, the security community has been developing efficient ways to evaluate the maliciousness of as many web sites as possible, by crawling them for malicious content in an automated fashion. Thanks to the  rise of botnets as an exploitation platform, today's cybercriminals are largely relying on compromised legitimate infrastructure as a delivery vehicle for their malicious content, compared to using purely malicious sites as an infection/propagation vector.

Naturally, cybercriminals keep track of the latest anti-malware security research, and constantly adapt to the latest innovations by introducing new features within the most widely used web malware exploitation kits.

According to security researchers from ESET, while profiling yet another malware and exploits serving malicious campaign, they have stumbled upon a new feature introduced in the Nuclear Pack web malware exploitation kit.

More details:

We have tracked some interesting activity through the injected code block with iFrame redirection: Javascript code is used to capture mouse activity with the onmousemove event and only after that does malicious activity continue with the redirection. This activity enabled us to identify a simple method being used to bypass crawlers used by AV companies and others. These are the first steps towards the criminal’s proactive detection of real user activity for tracking detections and bypassing malware collecting by whitehat crawlers.

The new feature is just the tip of the iceberg. Here are some of the most common evasive techniques used by cybercriminals to prevent vendors and security researchers from analyzing their campaigns:

  • The use of session-based cookies
  • The use of HTTP referrers to ensure the exploitation chain is complete
  • The use of banned IPs of known security vendor netblocks
  • The use of OS fingerprinting/browser fingerprinting techniques
  • The serving of malicious content only once for a given IP address
  • Managed iFrame and JavaScript crypting/obfuscating services, dynamically introducing scripts with low-detection rates

For the time being, the most widely used web malware exploitation kit remains the Black Hole exploit kit. Only time will tell whether its author will introduce the anti-crawling feature in the exploit kit, but given the fact that they introduce newly released exploits in a timely manner, it may already be on the of the "to-do" list of the cybercriminal behind the kit.

Topics: Malware, Networking, Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • Nice, a bigger step to Self Awareness of the user

    Now that standard link scanners are becoming just as unreliable as signature based AVs, users will have to be more careful of the links they click; no more "the link scanner said it's a clean site" in decision making :)

    99.99% doubt that is gonna happen in the next 2 decades; can't prevent PEBCAK threats :(
    MrElectrifyer