Happy Nucl(y)ear – Evolution of an Exploit Kit

This blog mail discusses how Nuclear Pack, one of the virtually popular exploit kits, has evolved, and highlights the constant, ongoing arms race betwixt attackers and defenders.

While Nuclear Pack is not the almost sophisticated exploit kit–that dubious distinction going to Angler, which nosotros volition write about in an upcoming post–it is highly effective. It has been used in such high-affect campaigns as the AskMen compromise, and used by the APT group behind Functioning Windigo. Nuclear Pack has a wide range of attacks in its repertoire, including Flash, Silverlight, PDF, and Net Explorer exploits, and information technology is capable of dropping any malware. Furthermore, Nuclear Pack is constantly being improved by its creators to avoid detection and attain higher infection rates.

Exploit kits are a main source of compromises today; they are one of the primary vehicles for both 0-solar day and widely constructive, known vulnerabilities, offering a free laissez passer to driblet active malicious content (such as the banking trojan, Zeus) that embeds on the system giving cyberciminals a fashion into internal networks and ultimately leads to information exfiltration. Last twelvemonth Websense has detected and blocked more than 66 1000000 threats specifically with exploit kits, plus over 1 billion catches of after-stages, such as dropper file, C&C traffic (Call Home stage) that are commonly owing to new exploit kit activity. In essence, exploit kits are complete, off-the-shelf solutions that cybercriminals can purchase to compromise systems by exploiting various software vulnerabilities on the victim’s system. In improver, these kits are equipped to defeat IDS and Anti-Virus solutions in order to avert detection, the primary technique they utilise to achieve this is through using code obfuscation, which is used to hide the truthful nature of the malicious code. Exploit kits constantly alter and ameliorate in lodge to keep up with diverse security solutions and the new version of NuclearPack is the next phase of exploit kit evolution.

Telemetry

Nuclear Pack affects near all industries, equally it is very often used in high-volume compromises. In addition, the number of exploit attempts varies highly based on the traffic book of the compromised website, as shown in the charts below.

Affected Industries:

Industries

Nuclear Pack tendency activity over time:


Nuclear Pack

High Level Overview of Nuclear Pack infections

Nuclear Pack follows the traditional kill chain and maps direct to the 7 Stages of Avant-garde Threats. Websense customers are protected from this threat with ACE, our Advanced Classification Engine, at the following stages:

  • Stage 2 (Lure) – ACE has detection for the compromised websites.
  • Stage 3 (Redirect) – ACE has detection for the injected code that redirects the user to the exploit page.
  • Stage iv (Exploit Kit) – ACE has detection for the malicious lawmaking that attempts to execute this cyber attack.
  • Stage 5 (Dropper Files) – ACE has detection for the binary files associated with this attack.

The motion-picture show beneath shows all stages, from the first HTTP transaction with the compromised website. It is worth noting that the original version of Nuclear Pack was seen to apply predictable URL patterns. In the new version of Nuclear Pack, the redirect URLs and methods are highly random, making the redirect stage much more than hard to observe.

Nuclear Pack infection concatenation:

Nuclear Pack

Obfuscation

As with other exploit kits, Nuclear Pack uses diverse obfuscation techniques to avert detection by IDS and anti-virus solutions. In social club to detect and protect against this threat, it is crucial to understand and identify the obfuscation techniques that are unique to this exploit kit.

Later on cleaning upwardly the landing page and then that it is properly structured, we are still left with highly obfuscated JavaScript code.

Cleaned up Landing Page (part I):

Obfuscation

Cleaned up Landing Folio (office II):

Landing Page

Investigating the structure of the obfuscated code reveals that it actually consists of only a few parts:

  1. Some helper routines for deobfuscation
  2. Obfuscated content (uses decimal format to store the plugin detect and actual exploit office of the exploit kit)
  3. Deobfuscation routines
  4. The actual deobfuscation
  5. Running the deobfuscated JavaScript

How Nuclear Pack deobfuscation works

Malware

In essence the landing page just takes the obfuscated content, deobfuscates it, and then runs it.

1 of the most unique Nuclear Pack obfuscation techniques is the utilise of the groundwork color equally means to obfuscate and deobfuscate certain functionality.  The original version of Nuclear Pack always sets the background colour of the page to an arbitrary colour. Later, the variable document.bgcolor is used to deobfuscate a number of functions, which were obfuscated with hexadecimal HTML color values.

Unique obfuscation method:<torso bgcolor=”#333399″> is used in the example below

Obfuscation

Deobfuscated Content

Once the exploit kit is deobfuscated, the truthful functionality of the exploit kit is revealed. The deobfuscated code has four parts, and they are executed in the following gild:

  1. Plugin Discover
  2. XMLDOM Information Disclosure exploit to make up one’s mind whether anti-virus is running on the system
  3. Checking whether victim has vulnerable plugin version
  4. Launching appropriate exploit(due south)

Nuclear Pack uses the popular PluginDetect library to fingerprint the victim. As you tin see, the creators were using the latest version.

PluginDetect:


Plugin

Nuclear Pack uses CVE-2013-7331 XMLDOM ActiveX control vulnerability to enumerate anti-virus software on the target system. Note that the vulnerability only affects Internet Explorer users. The use of this exploit to fingerprint the victim’s motorcar for anti-virus software is non unique to Nuclear Pack. Information technology is increasingly beingness adopted by more than and more than exploit kits (including Angler and RIG). If a specific (hardcoded) anti-virus solution is detected, the infection attempt is aborted in order to avoid possible detection.

Anti-Virus Detection:


AV Check

Before launching the bodily exploits, Nuclear Pack runs a cheque to see whether the victim has vulnerable plugin versions. As you lot can see below, Nuclear Pack as well checks for vulnerable Java versions. That functionality is only a placeholder, notwithstanding; it doesn’t seem to apply any Java exploits.

Vulnerable Plugin Check:


Plugin Chekc

Finally, based on the results of the previous cheque, the exploit kit runs the appropriate exploit or exploits.

Launching Exploits


Exploits

New version of Nuclear Pack

During December, a new version of Nuclear Pack emerged. While information technology has merely been used on a depression scale at this bespeak, it is very likely that this new version will completely replace the old version. Equally with any new software release, the new version of Nuclear Pack has new features and various improvements.

The biggest difference between the new version and its predecessor is that it uses completely different obfuscation techniques to hide malicious code from security products.

Landing page using the new obfuscation

Obfuscation

In addition to the consummate overhaul of it’s obfuscation methods, Nuclear Pack at present uses a rudimentary 2nd-layer obfuscation. In other words, there is some other layer of obfuscation. It is very bones, even man-readable, but probably useful against security products that can but deal with one layer of obfuscation. To increase infection rates even further, Nuclear Pack has detection for more than anti-virus products.

Second layer obfuscation and AV detection:

Detection

In the past, NuclearPack also used to utilize elementary URL patterns specific to simply this exploit kit. With the new version this is no longer the case. Also, a large clamper of the original PluginDetect library is gone, leaving simply the essentials. This makes Nuclear Pack more streamlined and efficient.

The creators of NuclearPack too introduced a XOR based obfuscation method for the malware payload, which makes it significantly more than difficult to detect the dropper file with IDS or anti-virus every bit no signatures volition match on the encoded payload. Websense File Sandboxing reports the dropped executable every bit malicious.

Malware Payload XOR-ed with ASCII string “kFLzT”

Virus

Websense File Sandboxing study showing detection equally Malicious:

Sandbox

Finally, the new version merely uses Flash (CVE-2014-8439) and Silverlight (CVE-2013-0074 / CVE-2013-3896) exploits. This seems to be a full general trend among various exploit kits; they drop Java, Cyberspace Explorer, and PDF exploits in favor of the more successful Flash and Silverlight exploits. In that location are ii master reasons behind this: first, Wink and Silverlight are widely used plugins, while Java and Adobe Reader plugins are becoming less common. Also, due to the diversity of the browser market place, information technology’south becoming less profitable to use Net Explorer exploits. Secondly, while browser security has steadily increased over the by few years, different plugins seem to lag behind in terms of security.

Summary

  • Nuclear Pack is a constantly evolving threat, which uses diverse exploits to compromise a big number of systems.
  • The obfuscation used by different exploit kits, while constantly changing, is unique to each kit, making fingerprinting easier.
  • Flash and Silverlight are the well-nigh commonly used exploits

For a thorough description of the hugger-mugger ecosystem surrounding Exploit Kits, see Kafeine’due south blog:
http://malware.dontneedcoffee.com/2012/12/eyeglanceru.html

AT

Abel Toro

Security Researcher

Abel Toro is a Security Inquiry with Forcepoint Security Labs’ Special Investigations team, focusing on contrary engineering, malware assay, and threat intelligence. He tracks existing threat groups and identifies new ones – focusing in detail on APTs – through analysing infrastructure,…

Read more articles by Abel Toro

Source: https://www.forcepoint.com/blog/x-labs/happy-nuclyear-evolution-exploit-kit

Check Also

Will Dogecoin Go Up In Value

Will Dogecoin Go Up In Value

On Dec. 6, 2013, Billy Markus and Jackson Palmer decided to combine their dearest of …