• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Exploits   »   Nuclear Exploit Kit Evolves, Includes Silverlight Exploit

Nuclear Exploit Kit Evolves, Includes Silverlight Exploit

  • Posted on:September 23, 2014 at 2:10 am
  • Posted in:Exploits, Vulnerabilities
  • Author:
    Brooks Li (Threats Analyst)
3

Exploit kits have long been part of a cybercriminal’s arsenal. One of the most notorious exploit kits in recent years is the Blackhole Exploit Kit. Coverage over this particular exploit kit reached a fevered pitch with the arrest of its author in 2013.

The Blackhole Exploit Kit may have met its demise, but this hasn’t deterred cybercriminals from using other exploit kits for their schemes. In fact, other exploit kits are still in use, often with improvements or upgrades. An example is the Nuclear Exploit Kit.

We observed that the Nuclear Exploit Kit exploit kit recently included the Silverlight exploit (CVE-2013-0074) in its scope. We believe that the attackers behind the Nuclear Exploit Kit included Silverlight in its roster of targeted software for two reasons: to have an expanded attack surface and to avoid detection (as not many security solutions have detections for this particular exploit).

The Silverlight exploit

Like other targeted software, the Nuclear Exploit Kit’s landing page will check if the victim’s system has Silverlight installed. If the check passes, it will then attempt to use the Silverlight exploit to drop malware into the system.

nuclearexploit_fig1

Figure 1. The payload

Upon closer analysis, it appears that an error exists in the version checking the JavaScript code.

nuclearexploit_fig2

Figure 2. The code

This particular exploit has also been used in other exploit kits, such as the Angler Exploit Kit. More details about this exploit were discussed in our blog post, “A Look at a Silverlight Exploit.” Microsoft has released a bulletin (Microsoft Security Bulletin MS13-022) to address the associated vulnerability.

Changes in the Nuclear Exploit Kit

The inclusion of the Silverlight exploit is just one of the changes we have seen in the Nuclear Exploit Kit. The number of exploits used by the kit has doubled since the start of 2014.

2 Nuclear Exploit Kit Timeline-01

Figure 3. Timeline of exploits used by the Nuclear Exploit Kit

“PluginDetect” in Figure 3 refers to a JavaScript library used by hackers to check browser plugin versions. If the version matches it will trigger the exploit.

nuclearexploit_fig4

Figure 4. Vulnerabilities targeted by the current Nuclear Exploit Kit

Checking for antivirus-related files

One notable routine performed by the exploit kit is the checking of antivirus driver files. Once the exploit redirects victims to the exploit kit’s landing page, the page checks for specific antivirus driver files, including those for Trend Micro products. Should it find any, the process is terminated. We surmise that the cybercriminals behind this, terminate certain antivirus driver files since these are the only products that can detect the said exploit kit, as of this posting.

nuclearexploit_fig5

Figure 5. The XMLDOM exploit in use

The exploit kit uses the XMLDOM exploit (CVE-2013-7331) for this routine. This vulnerability can be used to determine the existence of local path names. This particular exploit was used in a zero-day attack against the website of the US Veterans of Foreign Wars. Microsoft has issued a security bulletin for the associated vulnerability.

In fact, patches have already been released for the vulnerabilities targeted by the Nuclear Exploit Kit. This means that if users have already applied the update for them, they are less likely to be affected by attacks.

We will continue to monitor the threat landscape for possible damage that the recent changes in the Nuclear Exploit Kit may bring.

With additional analysis by Weimin Wu

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: BHEKblackhole exploit kitExploitsnuclear exploit kitSilverlightVulnerabilities

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.