Exploit kits have long been part of a cybercriminal’s arsenal. One of the most notorious exploit kits in recent years is the Blackhole Exploit Kit. Coverage over this particular exploit kit reached a fevered pitch with the arrest of its author in 2013.
The Blackhole Exploit Kit may have met its demise, but this hasn’t deterred cybercriminals from using other exploit kits for their schemes. In fact, other exploit kits are still in use, often with improvements or upgrades. An example is the Nuclear Exploit Kit.
We observed that the Nuclear Exploit Kit exploit kit recently included the Silverlight exploit (CVE-2013-0074) in its scope. We believe that the attackers behind the Nuclear Exploit Kit included Silverlight in its roster of targeted software for two reasons: to have an expanded attack surface and to avoid detection (as not many security solutions have detections for this particular exploit).
The Silverlight exploit
Like other targeted software, the Nuclear Exploit Kit’s landing page will check if the victim’s system has Silverlight installed. If the check passes, it will then attempt to use the Silverlight exploit to drop malware into the system.
Figure 1. The payload
Upon closer analysis, it appears that an error exists in the version checking the JavaScript code.
Figure 2. The code
This particular exploit has also been used in other exploit kits, such as the Angler Exploit Kit. More details about this exploit were discussed in our blog post, “A Look at a Silverlight Exploit.” Microsoft has released a bulletin (Microsoft Security Bulletin MS13-022) to address the associated vulnerability.
Changes in the Nuclear Exploit Kit
The inclusion of the Silverlight exploit is just one of the changes we have seen in the Nuclear Exploit Kit. The number of exploits used by the kit has doubled since the start of 2014.
Figure 3. Timeline of exploits used by the Nuclear Exploit Kit
“PluginDetect” in Figure 3 refers to a JavaScript library used by hackers to check browser plugin versions. If the version matches it will trigger the exploit.
Figure 4. Vulnerabilities targeted by the current Nuclear Exploit Kit
Checking for antivirus-related files
One notable routine performed by the exploit kit is the checking of antivirus driver files. Once the exploit redirects victims to the exploit kit’s landing page, the page checks for specific antivirus driver files, including those for Trend Micro products. Should it find any, the process is terminated. We surmise that the cybercriminals behind this, terminate certain antivirus driver files since these are the only products that can detect the said exploit kit, as of this posting.
Figure 5. The XMLDOM exploit in use
The exploit kit uses the XMLDOM exploit (CVE-2013-7331) for this routine. This vulnerability can be used to determine the existence of local path names. This particular exploit was used in a zero-day attack against the website of the US Veterans of Foreign Wars. Microsoft has issued a security bulletin for the associated vulnerability.
In fact, patches have already been released for the vulnerabilities targeted by the Nuclear Exploit Kit. This means that if users have already applied the update for them, they are less likely to be affected by attacks.
We will continue to monitor the threat landscape for possible damage that the recent changes in the Nuclear Exploit Kit may bring.
With additional analysis by Weimin Wu
