Metasploit modules used by malicious exploit kit in the wild (Sep 12, 2014)


The Dell Sonicwall Threats Research team has discovered an exploit kit which uses Metasploit modules to attack the user system. This kit is identified to be NailedPack. This is a multi-payload exploit kit targeting users based on their browser and operating system.

Infection Cycle:

A legitimate website is infected by injecting an iframe, which redirects the users to malicious server. Injected iframe is obfuscated by using a JavaScript Packer.

Fig-1 : Obfuscated injected Iframe

Fig-2 : DeObfuscated Iframe

After deobfuscation generated iframe redirects users to landing page served on malicious server. Landing page uses AutoPwn Metasploit module rather than the traditional Plugin Detect JavaScript library as used by other Exploit Kits.

Image 1 Image 2
Fig 3 : Obfuscated AutoPwn module Fig 4 : DeObfuscated AutoPwn module

Above script identifies the Operating Sytem, Browser and its version and sends this information to server in base64 encoded format.

Fig 5 : Base64 encoded Target system information

In response to the above information, server sends an obfuscated javascript which has a list of checks based on which it requests for corresponding exploits.

Fig 6 : DeObfuscated Script to check vulnerability

This pack requests for multiple exploits and on successful exploitation additional malware might be downloaded to the system. During our analysis we did not observe any active payload being served.

Having up to date software will help in mitigating this Exploit Kit. Dell Sonicwall Threats Research team will keep on monitoring this Exploit Kit and add update mitigation signatures as required.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.