Visitors are directed to a page that delivers the Nuclear Pack exploit kit

Jul 19, 2014 08:14 GMT  ·  By

Security researchers found that the popular Askmen.com online publication for men has been compromised once again and it is currently used for the distribution of Kelihos Trojan.

Kelihos has been discovered towards the end of 2010 and law enforcement, together with security companies in the private sector, have taken action to disable the botnet it created on three occasions, in 2011, in 2012 and in 2013.

The malware, also known under the name of Hlux, has generally been used by cybercriminals for distributing spam messages that would contain URLs serving installation kits for other Trojans.

Microsoft says that it could also receive instructions from command and control servers for stealing sensitive information or downloading and executing arbitrary files.

Jerome Segura, senior researcher for Malwarebytes, reports that cybercriminals have injected malicious code into the server of Askmen.com in order to direct unsuspecting visitors to a page serving the Nuclear Pack exploit kit that seeks vulnerable versions of Adobe Flash, Adobe Reader and Java; these are used for dropping the payload (Kelihos Trojan).

The administrators of Askmen.com have been notified by the security researchers, who received a reply saying that the issue is being considered.

The popular portal has been attacked in June, too, the incident having been reported by researchers at Websense, a San Diego based company providing protection against cyber-attacks, who sent a notification to the portal administrators.

At that time, representatives of the website did not acknowledge the compromise immediately and said that Websense had never contacted them.

Later, we received an email from them saying they could not find evidence of malware in the wake of “a thorough investigation.”

However, it turned out that the company was wrong and an attack had indeed been conducted through Askmen.com and issued a statement informing that the code had been cleaned and that they would continue monitoring.

Askmen.com has a user database of more than 14 million readers per month in the United States alone, but there are localized versions of the portal for UK, Canada, Australia and the Middle East.

In this case, mitigating the risks of exploiting vulnerable software consist in updating Java, Adobe Flash and Adobe Reader to their latest versions because the flaws leveraged by Nuclear Pack exploit kit are old and have been patched in the newer revisions of the software.

The free version of Malwarebytes Anti-Exploit is prepared for this threat and actively blocks it.