Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

M&A Tracker

Nuclear EK Generates Flash Exploits On-the-Fly to Evade Detection

Researchers have spotted a Nuclear exploit kit attack in which new Flash Player exploits are automatically generated throughout the day in an effort to avoid detection.

Researchers have spotted a Nuclear exploit kit attack in which new Flash Player exploits are automatically generated throughout the day in an effort to avoid detection.

In order to keep up with the developers of other exploit kits, the authors of Nuclear EK have made some significant improvements to their creation. According to researchers at Israel-based cyber defense firm Morphisec, the changes made to Nuclear EK are designed to increase the chances of bypassing signature and behavior-based solutions, and make it more difficult for experts to analyze attacks.

Morphisec discovered the changes made to the Nuclear exploit kit while analyzing three websites that had been compromised and abused to redirect visitors to Nuclear EK hosts. Experts noticed that the hijacked websites changed the location of the exploit kit host victims had been redirected to, including the URL and its pattern, every hour.

Malicious Flash files served by the exploit kit sites change their content every time, but they maintain the same size, experts said. The said Flash files, designed to exploit a patched Flash Player vulnerability in an effort to push malware onto victims’ computers, are generally the same, but the names of functions and variables are changed every time.

“This led us to the conclusion that Nuclear Exploit Kit generates new exploits on the fly to bypass any signature or hash based solution, and it does it very successfully,” Michael Gorelik, Morphisec’s VP of research and development, explained in a blog post.

Researchers also found that the exploit kit host tracks victims’ IP addresses to ensure that the same exploit is not served to the same user twice from the same host. This offers two advantages for the attackers: it helps them evade man-in-the-middle (MitM) defenses, and prevents researchers from replaying the attack and reverse engineering the exploit.

Another modification is designed to make it more difficult for experts to extract the exploit from the malicious file.

Earlier this month, Morphisec analyzed a Nuclear EK Flash Player exploit designed to bypass some mitigation implemented by Adobe. At the time, experts cracked the encryption using a technique described in September by Kaspersky Lab. In the more recent variant, the encryption has been improved to prevent researchers from extracting the exploit.

Advertisement. Scroll to continue reading.

“The exploits we researched take advantage of a vulnerability that have been patched by Flash. But this doesn’t mean you can relax, since an Exploit Kit that generates new, sophisticated variants on the fly with a formula of ‘changing encryption + changing servers + changing files + changing whatever else’ can leverage any type of zero day exploit,” Gorelik said.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Cyber exposure management firm Armis has promoted Alex Mosher to President.

Software giant Atlassian has named David Cross as its new CISO.

Dan Pagel has been named the new CEO of risk management and remediation firm Brinqa.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.