Cisco Blogs
Share

Nuclear Drops Tor Runs and Hides


April 8, 2016 - 0 Comments

Introduction

Exploit kits are constantly compromising users, whether it’s via malvertising or compromised websites, they are interacting with a large amount of users on a daily basis. Talos is continuously monitoring these exploit kits to ensure protection, analyze changes as they occur, and looking for shifts in payloads. Yesterday we observed a new technique  in the Nuclear kit and found a new payload and technique we’ve not seen before.

Details

It’s been awhile since we’ve discussed Nuclear so let’s start with an overview of how users are infected. Like most exploit kits it has a couple of key components: a gate, a landing page, and an exploit page with payload.  Let’s start by describing the gate that we have been observing associated with Nuclear and specifically this instance associated to a novel payload.

Gate

This particular infection begins with a compromised website. Buried on the website is a couple lines of javascript, which you can find below:

Screen Shot 2016-04-07 at 8.40.32 PM

Read More >>>

Tags:

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.