International Council for Women website compromised by Nuclear malware

Security exploits

Security firm Zscaler has discovered a serious compromise on the website of the International Council for Women (ICW) that could leave visitors open to ransomware and data-stealing malware.

The infected website deploys a malicious iframe when users visit it, which leads the victim to a landing site for the pernicious botnet Nuclear exploit kit (Nuclear EK).

Nuclear EK has been around since 2009 and is, according to Heimdal Security, one of the most widely used exploit kits on the web. It is able to deploy a broad range of attacks, including exploiting security holes in Silverlight, pdf, Internet Explorer and Flash. It has been particularly successful as it is fast evolving and uses so many exploit channels, through which it delivers primarily zero-day attacks that are undetectable by antimalware and antivirus tools.

The Nuclear EK landing page that the ICW compromise leads to is, Zscaler says, highly obfuscated to avoid detection by security software.

This particular version of the kit uses JavaScript to deliver a malicious Flash file, which contains a separate payload - the Kelihos botnet.

Kelihos is also an established piece of malware, having first been detected in 2010. While it is often used for sending out spam email and carry out denial of service (DDoS) attacks, it has also been involved in Bitcoin wallet theft, Bitcoin mining, data theft and downloading and executing arbitrary files.

In the case of the version found by Zscaler on the ICW site, Kelihos will check for the presence of 20 digital currency and FTP programs. It also extracts stored information from 10 browsers, including Chrome, such as user names, passwords and host names. A full list of the targeted programs can be found at the end of this article.

"Nuclear EK remains a worthy rival to Angler EK, with widespread campaigns, regular exploit payload updates, new obfuscation techniques and new malware payloads," said Zscaler researchers Dhanalakshmi PK and Rubin Azad. "The end malware payload we saw in this campaign was the information stealing Kelihos bot which has extremely low AV detection."

Affected FTP and digital currency software:

3D-FTPBitcoinBitKinexBlazeFtpBullet Proof FTPClassic FTPCore FTPCuteFTPCyberduckDirectory OpusFFFTPFileZillaFrigate3FTPGetterLeapFTPFTPRushxtermPuTTYSecureFXSmartFTP

Affected browsers: Google\ChromeChromiumChromePlusBromiumNichromeComodoRockMeltCoolNovoMapleStudio\ChromePlusYandex

Jane McCallion
Managing Editor

Jane McCallion is ITPro's Managing Editor, specializing in data centers and enterprise IT infrastructure. Before becoming Managing Editor, she held the role of Deputy Editor and, prior to that, Features Editor, managing a pool of freelance and internal writers, while continuing to specialize in enterprise IT infrastructure, and business strategy.

Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.