Security firm Zscaler has discovered a serious compromise on the website of the International Council for Women (ICW) that could leave visitors open to ransomware and data-stealing malware.
The infected website deploys a malicious iframe when users visit it, which leads the victim to a landing site for the pernicious botnet Nuclear exploit kit (Nuclear EK).
Nuclear EK has been around since 2009 and is, according to Heimdal Security, one of the most widely used exploit kits on the web. It is able to deploy a broad range of attacks, including exploiting security holes in Silverlight, pdf, Internet Explorer and Flash. It has been particularly successful as it is fast evolving and uses so many exploit channels, through which it delivers primarily zero-day attacks that are undetectable by antimalware and antivirus tools.
The Nuclear EK landing page that the ICW compromise leads to is, Zscaler says, highly obfuscated to avoid detection by security software.
This particular version of the kit uses JavaScript to deliver a malicious Flash file, which contains a separate payload - the Kelihos botnet.
Kelihos is also an established piece of malware, having first been detected in 2010. While it is often used for sending out spam email and carry out denial of service (DDoS) attacks, it has also been involved in Bitcoin wallet theft, Bitcoin mining, data theft and downloading and executing arbitrary files.
In the case of the version found by Zscaler on the ICW site, Kelihos will check for the presence of 20 digital currency and FTP programs. It also extracts stored information from 10 browsers, including Chrome, such as user names, passwords and host names. A full list of the targeted programs can be found at the end of this article.
"Nuclear EK remains a worthy rival to Angler EK, with widespread campaigns, regular exploit payload updates, new obfuscation techniques and new malware payloads," said Zscaler researchers Dhanalakshmi PK and Rubin Azad. "The end malware payload we saw in this campaign was the information stealing Kelihos bot which has extremely low AV detection."
Affected FTP and digital currency software:
3D-FTPBitcoinBitKinexBlazeFtpBullet Proof FTPClassic FTPCore FTPCuteFTPCyberduckDirectory OpusFFFTPFileZillaFrigate3FTPGetterLeapFTPFTPRushxtermPuTTYSecureFXSmartFTP
Affected browsers: Google\ChromeChromiumChromePlusBromiumNichromeComodoRockMeltCoolNovoMapleStudio\ChromePlusYandex
-
RSAC Conference 2025: The front line of cyber innovationITPro Podcast Ransomware, quantum computing, and an unsurprising focus on AI were highlights of this year's event
-
Anthropic CEO Dario Amodei thinks we're burying our heads in the sand on AI job lossesNews With AI set to hit entry-level jobs especially, some industry execs say clear warning signs are being ignored
-
Google pays largest-ever bug bounty worth £500,000News The company remained tight-lipped over the exploit itself, but speculation is possible given its publicly available rewards breakdown
-
OpenSSL 3.0 vulnerability: Patch released for security scareNews The severity has been downgraded from 'critical' to 'high' and comparisons to Heartbleed have been quashed
-
Hacker steals $566 million from Binance Bridge using proof-forgery exploitNews An exploit discovered in the exchange platform's proof verifier let the hacker take 2m BNB without raising alarm bells
-
CISA issues fresh orders to polish security vulnerability detection in federal agenciesNews The move marks the latest step in the cyber security authority's ongoing ambition to minimise the government's exposure to attacks
-
Mozilla patches high-severity security flaws in new ‘speedy’ Firefox releaseNews Numerous vulnerabilities across Mozilla's products could potentially lead to code execution and system takeover
-
WordPress plugin vulnerability leaves sites open to total takeoverNews Customers on WordFence's paid tiers will get protection from the WPGate exploit right away, but those on the free-tier face a 30-day delay
-
Numerous HP business laptops and desktops vulnerable to publicly disclosed security bugsNews Researchers revealed the details of the six vulnerabilities at Black Hat in August but many laptops, desktops, and workstations remain vulnerable
-
HP patches high-severity security flaw in its own support toolNews The application that's installed in every HP desktop and notebook was allowing hackers to elevate privileges through a DLL hijacking vulnerability
