A fake CloudFlare DDoS (distributed denial of service) check page is being used by a Nuclear exploit kit (EK) gate to load a malicious redirection page to serve malware, according to security firm Malwarebytes.
CloudFlare is a well-known cloud security provider that offers DDoS protection along with several other services to website owners. CloudFlare filters DNS requests through its infrastructure to protect websites from attacks and provide faster page delivery times.
In a recent blog post, Malwarebytes’ Jérôme Segura explains that there have been several malvertising attacks that have been redirecting users to a rogue domain which appears to be using CloudFlare, but is actually serving the Nuclear EK instead. However, a closer inspection revealed that the server’s IP address does not belong to CloudFlare and that the domain is completely bogus.
The interesting part, however, is the fact that the cybercriminals are using a conditional malicious redirection that checks if the user is genuine. Next, the user is redirected to an intermediate site designed to further redirect the victim to the Nuclear EK, in addition to loading an ad banner and collecting an affiliate commission.
The attackers also rely on JavaScript in order to launch their exploit, and they even instruct users to “turn JavaScript on and reload the page.”
The technique, however, might not return the expected results every time, and Malwarebytes researchers say they do not know why the threat actors are using the aforementioned redirection template.
CloudFlare has been already alerted on the matter and has confirmed that the bogus domain is in no way associated with the security firm.