Home / malware Exploit:JS/Neclu.C
First posted on 14 May 2019.
Source: MicrosoftAliases :
There are no other names known for Exploit:JS/Neclu.C.
Explanation :
This threat is a component of the Nuclear exploit kit. It is malicious JavaScript code embedded in an HTML page.
Installation
The threat checks to see if your PC is running a vulnerable version of Java or Adobe Reader.
We have seen it try to use the following vulnerabilities:
CVE-2010-0188 (Adobe Reader and Acrobat 8.x before 8.2.1 and 9.x before 9.3.1) CVE-2012-1723 (Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier) CVE-2013-1493 (Oracle Java SE 7 update 15 and earlier, 6 update 41 and earlier, and 5.0 update 40 and earlier) CVE-2013-2423 (Java SE 7 update 17 and earlier, and OpenJDK 7)
We have seen the threat hosted on pages at the following URLs:
http://mqs3sbee.polarquarterback.pw/_3-c89dff037-ee-19See1C0-f/202/86293d224dad755bb9bd0f13d34119f0.html http://exk8zn.wintercoach.pw/ _a0ac04_8ac_a4-1Ncc8-c/187/33b2e12e14fbd7a7eaf380ef1437bc5d.html http://j46ix0.slipperyjavelin.pw/ -4LaMa4096c3c_f32Rc_2-0_0Z/145/3438ee91374eac5ad5146f1ca848e85b.html
The landing page might look like the following:
Payload
Downloads malware
If your PC has vulnerable software installed this threat can download other malware, including:
Win32/Zbot Win32/Gamarue Win32/Tofsee Win32/Dofoil Win32/Neurevt Win32/Expiro Win32/Loktrom
Analysis by Shawn WangLast update 14 May 2019
