Nuclear, you can run, but you can’t hide

Datetime:2016-08-22 23:54:24          Topic:          Share

In a seeming response to the recent Check Point investigative report, Nuclear Exploit Kit changed the location of the entire infrastructure.

Background

The Nuclear Exploit Kit, one of the largest attack infrastructures observed in the wild today, was recently the subject of a thorough investigation conducted by Check Point Threat Intelligence and Research team as part of our ongoing research into the Malware-as-a-Service industry.

In Part I of our report, Inside Nuclear’s Core: Analyzing the Nuclear Exploit Kit Infrastructure , we reviewed in depth the various capabilities, exploits, and techniques employed by the exploit kit. We analyzed Nuclear’s operation scheme and its features, including the control panel, the landing page served by the exploit kit, the master server, infection flow, exploits and other internal logs.

In addition, we presented the active malware campaigns distributed by Nuclear and their infection statistics, and noted that Locky was the largest malware campaign distributed via the exploit kit at the time of publication.

Part II of the report, Inside Nuclear’s Core: Unraveling a Malware-as-a-Service Infrastructure , presented a first-of-its-kind view into the heart of a thriving cybercriminal syndicate scene. We reviewed the exploits and vulnerabilities served by the exploit kit and the process of delivering the payload to the victims. We also reviewed the effect of these campaigns on the victims, and assessed the damage caused.

The Aftermath

At the end of April, just a few days after our first report was published, the existing Nuclear infrastructure ceased operation entirely – all Nuclear panel instances and the master server stopped serving malicious content and responding to requests from their old IP addresses.

The operators stopped paying for the VPS hosting of their test servers and asked support to re-install them with clean images and delete their content.

As of June 5, 2016 the operators did not renew the VPS purchase.

In addition, the operators modified the Diffie-Helman implementation of the test server, used to send run-time de-obfuscation parameters for the exploitation process; now the right encoding – HEX, invoking ‘gmp_init(_,16)’ is used.

Our investigations have clearly had an impact. Check Point researchers continue to closely monitor changes in the Nuclear Exploit Kit infrastructure and infection flow.