Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

M&A Tracker

Nuclear EK Generates Flash Exploits On-the-Fly to Evade Detection

Researchers have spotted a Nuclear exploit kit attack in which new Flash Player exploits are automatically generated throughout the day in an effort to avoid detection.

Researchers have spotted a Nuclear exploit kit attack in which new Flash Player exploits are automatically generated throughout the day in an effort to avoid detection.

In order to keep up with the developers of other exploit kits, the authors of Nuclear EK have made some significant improvements to their creation. According to researchers at Israel-based cyber defense firm Morphisec, the changes made to Nuclear EK are designed to increase the chances of bypassing signature and behavior-based solutions, and make it more difficult for experts to analyze attacks.

Morphisec discovered the changes made to the Nuclear exploit kit while analyzing three websites that had been compromised and abused to redirect visitors to Nuclear EK hosts. Experts noticed that the hijacked websites changed the location of the exploit kit host victims had been redirected to, including the URL and its pattern, every hour.

Malicious Flash files served by the exploit kit sites change their content every time, but they maintain the same size, experts said. The said Flash files, designed to exploit a patched Flash Player vulnerability in an effort to push malware onto victims’ computers, are generally the same, but the names of functions and variables are changed every time.

“This led us to the conclusion that Nuclear Exploit Kit generates new exploits on the fly to bypass any signature or hash based solution, and it does it very successfully,” Michael Gorelik, Morphisec’s VP of research and development, explained in a blog post.

Researchers also found that the exploit kit host tracks victims’ IP addresses to ensure that the same exploit is not served to the same user twice from the same host. This offers two advantages for the attackers: it helps them evade man-in-the-middle (MitM) defenses, and prevents researchers from replaying the attack and reverse engineering the exploit.

Another modification is designed to make it more difficult for experts to extract the exploit from the malicious file.

Earlier this month, Morphisec analyzed a Nuclear EK Flash Player exploit designed to bypass some mitigation implemented by Adobe. At the time, experts cracked the encryption using a technique described in September by Kaspersky Lab. In the more recent variant, the encryption has been improved to prevent researchers from extracting the exploit.

“The exploits we researched take advantage of a vulnerability that have been patched by Flash. But this doesn’t mean you can relax, since an Exploit Kit that generates new, sophisticated variants on the fly with a formula of ‘changing encryption + changing servers + changing files + changing whatever else’ can leverage any type of zero day exploit,” Gorelik said.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

M&A Tracker

The SecurityWeek editorial team huddled over the holidays to look back at the stories that shaped 2022 and, more importantly, to stare into a...

Funding/M&A

Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

A security vulnerability identified on AliExpress, the wholesale marketplace owned by the Chinese e-commerce giant Alibaba, could have been exploited by hackers to hijack...