IE watering hole hack added to notorious exploit kit

An Internet Explorer exploit used in high-profile watering hole attacks has been added to the popular Nuclear Pack hacking toolkit.

The exploit affects unpatched versions of Internet Explorer and was used in November to infect users interested in national and international security policy via an unnamed US policy website.

The payload was loaded directly into memory without first writing to disk, which FireEye researchers who discovered the attack said was a hallmark of advanced attackers, and left no clues to discover infected endpoints.

Independent researcher Kafeine found the exploit bundled into Nuclear Pack for sale on underground criminal forums.

Nuclear is one of the most popular exploit kits, offering a packaged framework of payloads and client-side exploits to make attacks easier and more efficient.

Microsoft said the exploit was a product of two distinct vulnerabilities; a remote code execution vulnerability (CVE-2013-3918) in the InformationCardSigninHelper ActiveX component used by Internet Explorer, and an information disclosure vulnerability to improve the reliability of the hack.

It affects Internet Explorer versions 7 and 8 on Windows XP and 7, but was foiled by Microsoft's Enhanced Mitigation Experience Toolkit add-on.

The exploit was used by a criminal group in September to compromise governments, manufacturing firms and high technology companies in Japan and the US using watering hole attacks - so-called because it infected websites popular with targeted users.

"By utilising strategic web compromises along with in-memory payload delivery tactics and multiple nested methods of obfuscation, this campaign has proven to be exceptionally accomplished and elusive," FireEye researchers wrote in November.

"APT (advanced persistent threat) actors are clearly learning and employing new tactics. With uncanny timing and a penchant for consistently employing zero-day exploits in targeted attacks, we expect APT threat actors to continue to evolve and launch new campaigns for the foreseeable future."

The attacks, dubbed Operation Deputy Dog, were thought to be conducted by the same group that compromised security firm Bit9 in February last year.

Fight to the top

Over the last year, some of the most popular exploit kits have disappeared, along with dozens of more obscure offerings.

The most notorious of all - BlackHole - fell out of use in December following the arrest of its author, known as Paunch. The hacker was also behind the also retired Cool exploit kit.

The fall of BlackHole has resulted in a race to claim top spot. This month Dutch security firm Fox-IT reported Yahoo! was serving malicious advertisements that were redirecting users to the Magnitude exploit kit, which was infecting an estimated 27,000 victims an hour.

Kaspersky researcher Kurt Baumgartner said this month a successor to BlackHole could be "years away", but researchers at Kahu Security recently said the formerly popular RedKit exploit kit was appearing to be resurrected in the wake of the fall of BlackHole.