Yesterday's Nymaim spam campaign was also redirecting to Nuclear Pack.
Without big surprise the sample ( 592899e0eb3c06fb9fda59d03e4b5b53 ) dropped by Nuclear is the same as the fake update proposed.
But there was an additionnal 11kb payload call for which i could not find sample on drive
|Nuclear Pack dropping Nymaim in the 2015-11-30 Spam Campaign|
Friends (who don't want to be mentioned) figured a privilege escalation was in use there :
According to Kaspersky and Timo Hirvonen (F-Secure) it's CVE-2014-4113 ( Win32k.sys Elevation of Privilege Vulnerability )
I did not got to see the privilege escalation in live condition.
Note: it's not the first time a public Exploit Kit is integrating an exploit to escalates right on dropped payload (Cf CVE-2015-2426 in Magnitude )
Files : Fiddler and Dll here (password is malware - XOR key : 56774347426F664767 then 213404052d09212031)
Thanks : Kaspersky, Timo Hirvonen , Malc0de and 2 other friends for taking some time and use their wizardness on this.
Read More :
An Analysis of A Windows Kernel-Mode Vulnerability (CVE-2014-4113) - 2014-10-29 - TrendMicro
privilege escalation Nuclear Pack win32k.sys CVE-2014-4113