Researchers have spotted a Nuclear exploit kit attack in which new Flash Player exploits are automatically generated throughout the day in an effort to avoid detection.
In order to keep up with the developers of other exploit kits, the authors of Nuclear EK have made some significant improvements to their creation. According to researchers at Israel-based cyber defense firm Morphisec, the changes made to Nuclear EK are designed to increase the chances of bypassing signature and behavior-based solutions, and make it more difficult for experts to analyze attacks.
Morphisec discovered the changes made to the Nuclear exploit kit while analyzing three websites that had been compromised and abused to redirect visitors to Nuclear EK hosts. Experts noticed that the hijacked websites changed the location of the exploit kit host victims had been redirected to, including the URL and its pattern, every hour.
Malicious Flash files served by the exploit kit sites change their content every time, but they maintain the same size, experts said. The said Flash files, designed to exploit a patched Flash Player vulnerability in an effort to push malware onto victims’ computers, are generally the same, but the names of functions and variables are changed every time.
“This led us to the conclusion that Nuclear Exploit Kit generates new exploits on the fly to bypass any signature or hash based solution, and it does it very successfully,” Michael Gorelik, Morphisec’s VP of research and development, explained in a blog post.
Researchers also found that the exploit kit host tracks victims’ IP addresses to ensure that the same exploit is not served to the same user twice from the same host. This offers two advantages for the attackers: it helps them evade man-in-the-middle (MitM) defenses, and prevents researchers from replaying the attack and reverse engineering the exploit.
Another modification is designed to make it more difficult for experts to extract the exploit from the malicious file.
Earlier this month, Morphisec analyzed a Nuclear EK Flash Player exploit designed to bypass some mitigation implemented by Adobe. At the time, experts cracked the encryption using a technique described in September by Kaspersky Lab. In the more recent variant, the encryption has been improved to prevent researchers from extracting the exploit.
“The exploits we researched take advantage of a vulnerability that have been patched by Flash. But this doesn’t mean you can relax, since an Exploit Kit that generates new, sophisticated variants on the fly with a formula of ‘changing encryption + changing servers + changing files + changing whatever else’ can leverage any type of zero day exploit,” Gorelik said.
