Metasploit modules used by malicious exploit kit in the wild

October 3, 2014

The Dell Sonicwall Threats Research team has discovered an exploit kit which uses Metasploit modules to attack the user system. This kit is identified to be NailedPack. This is a multi-payload exploit kit targeting users based on their browser and operating system.

Infection Cycle:

A legitimate website is infected by injecting an iframe, which redirects the users to malicious server. Injected iframe is obfuscated by using a JavaScript Packer.

Fig-1 : Obfuscated injected Iframe

Fig-2 : DeObfuscated Iframe

After deobfuscation generated iframe redirects users to landing page served on malicious server. Landing page uses AutoPwn Metasploit module rather than the traditional Plugin Detect JavaScript library as used by other Exploit Kits.

Image 1 Image 2
Fig 3 : Obfuscated AutoPwn module Fig 4 : DeObfuscated AutoPwn module

Above script identifies the Operating Sytem, Browser and its version and sends this information to server in base64 encoded format.

Fig 5 : Base64 encoded Target system information

In response to the above information, server sends an obfuscated javascript which has a list of checks based on which it requests for corresponding exploits.

Fig 6 : DeObfuscated Script to check vulnerability

This pack requests for multiple exploits and on successful exploitation additional malware might be downloaded to the system. During our analysis we did not observe any active payload being served.

Having up to date software will help in mitigating this Exploit Kit. Dell Sonicwall Threats Research team will keep on monitoring this Exploit Kit and add update mitigation signatures as required.