A bot in the website of the International Council of Women (ICW) has been compromised by attackers using the Nuclear Exploit Kit—infecting users with the Kelihos bot.
According to Zscaler, the EK was heavily obfuscated to evade security software detections.
Researchers found that the malware was communicating with remote servers to exchange information used to execute various tasks—including sending spam email, capturing sensitive information or downloading and executing malicious files. Kelihos was also trying to steal login credentials and digital currency—including Bitcoin—by monitoring network traffic of the victim's machine. And, it was trying to gather stored information such as usernames, passwords and host names from various Internet browsers—including Google Chrome and ChromePlus.
“Nuclear EK remains a worthy rival to Angler EK, with widespread campaigns, regular exploit payload updates, new obfuscation techniques and new malware payloads,” Zscaler researchers noted in an analysis. “The end malware payload we saw in this campaign was the information stealing Kelihos bot which has extremely low AV detection.”
Things have been busy on the EK front of late. Earlier in the week Zscaler found that despite the recent attempt to take down the Angler Exploit Kit, a Chinese government website recently was compromised, exploiting Flash and directing users to the CryptoWall 3.0 payload.
The firm uncovered that it’s back to business as usual for kit operators. The compromised Chinese government website was the "Chuxiong Archives,” compromised with injected code. The site has a similar look and feel to both the Chuxiong Yi Prefecture and Chuxiong City websites and appears somewhat inactive. The compromised site was cleaned up within 24 hours, but the situation alerted Zscaler to recent changes to Angler, as well as the inclusion of newer Flash exploits.