Most people interested working with a cloud business model nowadays, even malware programmers. It is better than just one time selling a security exploit, authors of malware are now selling malware as a cloud-based service. This means they make money each time someone pays to rent one of them. Exploit kits (EKs) have been very effective in the meaning of infecting end users. There are many EKs in the Malware-as-a-Service market and Nuclear EK is one of them since 2010.
“Developers create tools that they sell or rent to customers through online black markets, complete with sales, money-back guarantees, and reputation systems to provide customers with assurances that they won’t get ripped off.” reads the 2016 Trustwave Global Security Report,
Like its competitors, the Nuclear EK is also rented to attackers for a limited time by the creators and it is a ready to use via its control panel. According to the Check Point’s report, this panel is running on a nginx/1.8.0 server under a non-trivial port in order to hide itself from web crawlers. All of the control panels are fed by a master server. This master server contains the Flash, JavaScript and VBScript exploits and pushes the malware onto targeted systems.
Check Point reports that they have found 15 active control panels for Nuclear which are rented for a few thousand dollars per month. It is estimated that the creators of the Nuclear EK are gaining nearly 100K USD each month.
The authors of the code check the country from which the victim is browsing, it is not eligible for countries Azerbaijan, Armenia, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Uzbekistan, and Ukraine. It is most probably to avoid problems with the law in these countries.
Despite not running in these countries, Check Point statistics say that 1,846,678 machines were attacked and 184,568 machines were successfully exploited, nearly 10% success. As you can see in the graph below presenting successful infection rate per browser, the browser which has the highest percentage of success is Internet Explorer Version 8.
According to the report, the Europe and US are the main targets. Despite many banking trojans are distributed by the exploit kit, the number of ransomware infections is nearly three times that of banking trojan infections.
Studies made by Bitdefender shows us that;
Written by: Süleyman Petek
Süleyman Petek is an application security guy and also he loves to write code.
He has been on enterprise level projects since 2005 as a developer, as a scrum master and also as a software architect.
Living in Istanbul-Turkey and trying to keep alive his weblogs at www.suleymanpetek.com
https://www.surveymonkey.com/r/secbloggerwards2016
Thank you
Pierluigi
[adrotate banner=”9″]
(Security Affairs – Nuclear EK, malware)