Video Screencast Help
Security Response

Nuklus Toolkit in Action

Created: 20 Feb 2007 08:00:00 GMT • Updated: 23 Jan 2014 18:52:27 GMT
Elia Florio's picture
0 0 Votes
Login to vote

This morning we received reports of spammed emails with the following bodies:

John Howard survived a heart attack
Read more: http://wi[REMOVED]news.hk

Prime Minister survived a heard attack
Read more: http://in[REMOVED]help.hk

Once again, it’s the usual attack that tries to lead victims to a Web site that hosts an exploit code. In this case, attackers also added some additional social engineering fun to pursue their criminal purposes. In fact, when someone visits the hostile Web site, it will show a false “502” error and will gently suggest shutting down firewall and antivirus software to avoid the problem. (Of course! What else? Do you want my credit card number? Send money to your bank?).

The hostile site hosts an exploit for the RDS.DataControl component of Internet Explorer, patched by MS06-014 bulletin. The exploit downloads and executes a malicious file (iexplore.exe), always from the mentioned domain.

Spammed mails, social engineering, browser exploits… nothing really new, we get used to this kind of stuff. However, after further analysis, we were able to find the attacker C&C panel, which can manage all the infected hosts and that’s the interesting part of this story!

The interface seems to be a new type of C&C Web panel created by an enigmatic "Nuklus team." It is most likely part of some phishing toolkit sold in the underground market.

The C&C interface can give statistics about the number of infected hosts and the country of origin (based on the IP address). Australia, USA, and the UK are the most targeted by this malware at the moment. The panel also allows the administrator to manage some malicious plugins, and obviously the page already shows a “frame grabber” plugin for IE present on the bot. This plugin is able to intercept typed URLs and information posted on Web pages on-the-fly. The attacker can also redirect the browser if the URL matches with one on a specific list.

The list of “appetizing” URLs for the attacker is configured directly from the C&C interface and naturally includes many bank Web sites. The interface also has its own SQL database to store all the information gathered from the compromised hosts. Using the "SEARCH" tab, the attacker can run queries and search for valuable information in a very easy way. It’s noticeable that this toolkit can also grab users’ certificate stores as shown in the following figure (“CERT SQUEEZING). These types of C&C interfaces are not new in malware, but they are becoming incredibly sophisticated and, unfortunately, easy to use.