An evolved version of the Nuclear exploit attempting to spread a variety of malicious payloads has been uncovered by Cisco's Talos team. However, it appears those behind the update have botched the job and it is currently not working properly.
Talos researcher Nick Biasini reported uncovering the evolved exploit kit in a threat advisory, warning that it uses several new advanced functionalities traditionally seen on other attack tools, like the Angler exploit, to improve its success rate.
"Talos has found a Nuclear campaign using Domain Shadowing and HTTP 302 cushioning prevalent in Angler," read the report.
"It has been effectively rotating IP addresses, subdomains, and parent domains at a relatively quick rate.
"Additionally, the campaigns are usually using the threat actors' own domains that are registered. The current campaigns Talos is observing are using uncommon top level domains (TLDs) pretty heavily."
The technique means that the Nuclear kit can offer hackers a variety of new powers.
"This new attack chain has actually led to an infrastructure that could allow various different payloads to be served," explained the paper.
"It's possible that this is the true purpose behind the base64 encoded referrer being attached to the index.php request as a parameter. The miscreants could direct victims to various different payloads based on these referrers."
However, according to Cisco, the group developing Nuclear has been too clever for its own good and diminished the kit's success rate.
"The biggest change is that it appears to be so sophisticated that it's not working properly," explained Biasini.
"Initially it was directing to broken links. Then it directed some of the victims to a browser lock that tied in to a tech support scam. Finally, users started hitting the Nuclear Exploit Kit and were served malicious flash files that failed to compromise the systems."
Cisco warned that, despite currently being a botched job, the update could become a serious threat and if developed further.
"The interesting part is that this appears to be a work in progress. Once this gets completed it will be a threat worth watching," read the advisory.
"The use of a combination of 302 cushioning, domain shadowing, and script based redirection allows this group to push large amounts of users to various payloads through many layers of obfuscation."
The news comes during a reported war of the exploit kits, as hacker groups fill the void created by the death of Blackhole. Traditionally, Blackhole had been the favoured exploit kit of most orginised crime groups.
However, use of Blackhole plummeted after the arrest of its author in 2013. Following the death the use of the Angler exploit has grown and the attack tool has been used in a number of high-profile campaigns.
In May researchers at Dell SecureWorks uncovered a campaign using the Angler exploit kit and Tor network to spread the TeslaCrypt ransomware in an attempt to defraud companies of bitcoin payments worth thousands of dollars.
Biasini told V3 the battle for control is an issue but added the Nuclear kit's evolution is largely due to wider growth in the profitability of cyber crime as a service market.
"As the monetization of hacking explodes there is a large economy associated with this web-based exploit platforms. This economy is driving innovation and has really made strides in the last six months. This most recent update to Nuclear is indicative of a larger trend Talos has been analyzing in 2015," he said.
"The threats that were historically considered less sophisticated and in some cases an annoyance have really started to evolve and gain surprising sophistication. Beginning with Angler exploit kit adding 0-day attacks and the added levels of obfuscation the attackers have been using to bypass specific security solutions.
"Attackers have started morphing the exploit payload on an almost constant basis to bypass anti-virus detection and domain shadowing has started to spread to defeat blacklist based web defence systems."
A new RSA report urges coders to sign a 'Hippocratic Oath' before embarking on AI programmes.
IT security vendor believes APT33 is working for the Iranian government
Darktrace pushes machine learning to take some of the pressure off of IT and security teams
Google also gets its hands on HTC's IP in a non-exclusive deal