We have detected through feedback from the Trend Micro™ Smart Protection Network™ that the Nuclear Exploit Kit has been updated to include the recently fixed Adobe Flash Player vulnerability identified as CVE-2015-0336. We first saw signs of this malicious activity on March 18 this year.
This particular vulnerability was only recently fixed as part of Adobe’s regular March update for Adobe Flash Player which upgraded the software to version 18.104.22.168. However, our feedback indicates that many users are still running the previous version (22.214.171.1245). (We recommend that users stay up-to-date with the latest Flash Player version, and this incident is an excellent reminder of why.) We noted earlier this month that Flash Player was being targeted more frequently by exploit kits, and that pattern shows no sign of changing soon.
This exploit, detected as SWF_EXPLOIT.OJF, is being distributed to users via compromised websites, including one for an Internet Explorer repair tool and various Japanese pornographic sites. Users are directed to landing page located at hxxp://_ibalinkmedia[.]com/S0ldSAZRTlpQVV8MXFhfUVcMUx1RW14.html; this loads the Flash exploit located at hxxp://_ibalinkmedia[.]com/V0tCSEofXU8HAE9UCgBOXVEEXlpcX14AVlpTGlAKX08ABgNLBwAcAA
We believe that this is the Nuclear Exploit Kit for two reasons: first, the style of the URLs listed above is consistent with previous Nuclear attacks. Secondly, the content of the landing page is also consistent with the Nuclear Exploit Kit:
Figure 1. HTML code of landing page
Our feedback information shows that more than 8,700 users have visited the above URLs. More than 90% of these victims are from Japan.
Figure 2. Distribution of would-be victims by country
Trend Micro is already able to protect users against this threat. The existing Sandbox with Script Analyzer engine, which is part of Trend Micro™ Deep Discovery, can be used to detect this threat by its behavior without any engine or pattern updates. The Browser Exploit Prevention feature in our endpoint products such as Trend Micro™ Security, OfficeScan, and Worry-Free Business Security blocks the exploit once the user accesses the URL it is hosted in. Browser Exploit Prevention protects against exploits that target browsers or related plugins.
The SHA1 of the malicious Adobe Flash exploit is: