A large cybercrime campaign is in the works leveraging the Nuclear Exploit Kit and a fake CloudFlare DDoS protection screen to redirect unkowing users to malicious webpages. The campaign was detected by a senior security researcher at Malwarebytes recently, and it appears this exploit kit has been very eactive, especially via infected WordPress sites.
The idea behind this campaign is to hijack the user’s browsing path by throwing up a falsified CloudFlare security warning, while secretly redirecting them through a series of servers until they finally land on a page hosting the Nucelar EK. Nuclear then compromises computers via drive-by downloads and installs malware, and more recently, ransomware.
During each redirection happening in the background the server tests the victim’s device for various security vulnerabilities. Each check takes time, so they fool the user into waiting at the fake DDoS check screen, thinking CloudFlare is actually performing a security scan (which can take 5 seconds).
One easy way to spot these fake CloudFlare DDoS checks is to look for a parameter called “Ray ID,” which is a randomly generated string unique to each site. The fraudulent screens will not contain this parameter.