Researchers have spotted a Nuclear exploit kit attack in which new Flash Player exploits are automatically generated throughout the day in an effort to avoid detection.
In order to keep up with the developers of other exploit kits, the authors of Nuclear EK have made some significant improvements to their creation. According to researchers at Israel-based cyber defense firm Morphisec, the changes made to Nuclear EK are designed to increase the chances of bypassing signature and behavior-based solutions, and make it more difficult for experts to analyze attacks.
Morphisec discovered the changes made to the Nuclear exploit kit while analyzing three websites that had been compromised and abused to redirect visitors to Nuclear EK hosts. Experts noticed that the hijacked websites changed the location of the exploit kit host victims had been redirected to, including the URL and its pattern, every hour.
Malicious Flash files served by the exploit kit sites change their content every time, but they maintain the same size, experts said. The said Flash files, designed to exploit a patched Flash Player vulnerability in an effort to push malware onto victims’ computers, are generally the same, but the names of functions and variables are changed every time.
“This led us to the conclusion that Nuclear Exploit Kit generates new exploits on the fly to bypass any signature or hash based solution, and it does it very successfully,” Michael Gorelik, Morphisec’s VP of research and development, explained in a blog post.
Researchers also found that the exploit kit host tracks victims’ IP addresses to ensure that the same exploit is not served to the same user twice from the same host. This offers two advantages for the attackers: it helps them evade man-in-the-middle (MitM) defenses, and prevents researchers from replaying the attack and reverse engineering the exploit.
Another modification is designed to make it more difficult for experts to extract the exploit from the malicious file.
Earlier this month, Morphisec analyzed a Nuclear EK Flash Player exploit designed to bypass some mitigation implemented by Adobe. At the time, experts cracked the encryption using a technique described in September by Kaspersky Lab. In the more recent variant, the encryption has been improved to prevent researchers from extracting the exploit.
“The exploits we researched take advantage of a vulnerability that have been patched by Flash. But this doesn’t mean you can relax, since an Exploit Kit that generates new, sophisticated variants on the fly with a formula of ‘changing encryption + changing servers + changing files + changing whatever else’ can leverage any type of zero day exploit,” Gorelik said.
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Microsoft’s Verified Publisher Status Abused in Email Theft Campaign
- British Retailer JD Sports Discloses Data Breach Affecting 10 Million Customers
- Meta Awards $27,000 Bounty for 2FA Bypass Vulnerability
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
Latest News
- Sentra Raises $30 Million for DSPM Technology
- Cyber Insights 2023: Cyberinsurance
- Cyber Insights 2023: Attack Surface Management
- Cyber Insights 2023: Artificial Intelligence
- Microsoft’s Verified Publisher Status Abused in Email Theft Campaign
- Guardz Emerges From Stealth Mode With $10 Million in Funding
- How the Atomized Network Changed Enterprise Protection
- Critical QNAP Vulnerability Leads to Code Injection
