“Nuclear” exploit kit service cashes in on demand from cryptoransomware rings

Security researchers at Cisco Talos and Check Point have published reports detailing the inner workings of Nuclear, an "exploit kit" Web service that deployed malware onto victims' computers through malicious websites. While a significant percentage of Nuclear's infrastructure has been recently disrupted, the exploit kit is still operating—and looks to be a major contributor to the current crypto-ransomware epidemic.

Introduced in 2010, Nuclear has been used to target millions of victims worldwide, giving attackers the ability to tailor their attacks to specific locations and computer configurations. Though not as widely used as the well-known Angler exploit kit, it has been responsible for dropping Locky and other crypto-ransomware onto more than 140,000 computers in more than 200 countries, according to statistics collected by Check Point (PDF). The Locky campaign appeared to be placing the greatest demand on the Nuclear pay-to-exploit service.

Much of Talos' data on Nuclear comes from tracking down the source of its traffic—a cluster of "10 to 15" IP addresses that were responsible for "practically all" of the exploit infrastructure. Those addresses were being hosted by a single cloud hosting provider—DigitalOcean. The hosting company's security team confirmed the findings to Talos and took down the servers—sharing what was on them with security researchers.

At the same time, Check Point researchers had gained access to the paid malware delivery service's customer control panel and were able to plumb the service to collect their own statistics about its use.

Clipping coupons for infrastructure

Remarkably, after getting shut down initially, the operators of Nuclear quickly set up new DigitalOcean instances of the servers, using a different free e-mail account, according to a blog post by Cisco Talos' Nick Biasini. While Angler exploit kit servers have been usually tied to hosting accounts at various providers created with stolen credit card numbers, Nuclear's operators stuck to DigitalOcean because they were using coupon codes "to avoid traditional payment," Biasini noted, "and they remained careful by only registering a single host."

From a user-experience point of view—a criminal user, not the victim receiving the malware—Nuclear's Web console has a look and feel similar to that of any commercial hosting service's Web console, with bilingual support (English and Russian) and fairly intuitive tabbed forms. All a customer really needed to do was configure some filters and just add their preferred malware package for delivery. The console pages are served up on non-standard Internet Protocol ports—only a few elements of the service were seen using ports usually associated with Web traffic—likely to prevent the pages from being picked up by Web search robots.

Nuclear has a sophisticated multi-tier server architecture, with a single master server providing automatic updates to "console" servers—the systems used by paying customers to access and customize their particular paid attack packages. Those console servers in turn manage a rotating stock of landing pages served up through malicious links, exploited web pages and malicious advertisements.

The console servers continuously check for software updates and content from the master server. In its most recent incarnation, Nuclear offers a collection of recent Flash exploits (including one posted this month), as well as a JavaScript exploit that targets Internet Explorer 10 and 11, and a VBScript that targets a two-year-old Windows Object Linking and Embedding vulnerability. Not a surprise: more than half of the systems that Check Point found had been successfully exploited were using Internet Explorer 8. The OLE exploit attacks are probably tied to phishing attacks.

Attack types are set up as "threads" that can be tailored to different types of victims—including filters based on the location, browser type, operating system, and referrer page associated with each target that hits the landing pages controlled by the console. Each "thread" can use a different exploit or deliver a different malware package. Or it can do nothing if the target is not in the intended audience of the malware campaign.

Nuclear tries to disguise its landing pages from filtering software looking for exploit site signatures, shifting the patterns of the URLs it uses. The service once tried to disguise its URLs as content from phpBB and vBulletin Web discussion boards and Joomla content management servers, according to Check Point researchers. But now it performs a complex set of steps to randomly generate URLs to further avoid a specific pattern being associated with its landing pages. The URLs, if viewed by a human, should be obviously fishy, however, as they look something like this sample provided by Check Point:

http://(servername)/627g3g6if04s-92872/0f222441g584-23136/collaboration-polonaises.shtml?hateful=z69540vjag9e&gauze=heifers

The Nuclear landing pages themselves filter the type of browser based on the "user agent" fields in requests from systems to avoid tipping their hand—or sending an exploit to a system they can't infect. The server searches the header data in the request looking for information suggesting that the request came from a game platform (Xbox, Playstation, Nintendo), a nonstandard browser or Web crawler (SeaMonkey, LSSRocketCrawler, CPython, Crawler, Mail.ru's MRSPUTNIK crawler), or a security service (masscan, fMcAfee, etc).