Inside Nuclear’s Core: Analyzing the Nuclear Exploit Kit Infrastructure

Malware use different methods to propagate. Exploit kits (EKs) have been one the most common platforms for infecting end-users in the past few years. While there are several different EKs out in the wild, there are a few that stand out. One of these is the Nuclear Exploit Kit, which was introduced in 2010.

As part of the Malware-as-a-Service market, most exploit kits are rented by their creators to attackers worldwide for a certain period of time. All you need to do to have an up-and-running attack infrastructure is to rent it through an underground community and voilà, you can now infect users with the malware of your choice. Leading exploit kits are sold in cybercriminal circles for a few thousand dollars a month. An attacker with a good business sense can use such an asset to generate a profit that surpasses the cost of the exploit kit.

Exploit kits tend to adapt to new security measures. Isolating and analyzing a single infection variant does not give security vendors the upper hand in fighting them.

We recently had the opportunity to take a peek inside Nuclear’s management system. We were able to extract extensive information which sheds light on the Nuclear Exploit Kit.

In the following report, Inside Nuclear’s Core: Analyzing the Nuclear Exploit Kit Infrastructure – Part I, we will review in detail the various capabilities, exploits, and techniques employed by Nuclear.  The Report unravels Nuclear’s operation scheme, all of the features, from the control panel, through the URL logic, to the landing page being served by the EK. Furthermore, we explore the master server, infection flow, exploits, and other internal logics. In addition, we will present the active malware campaigns distributed by Nuclear, and its infection statistics.


Check Point Protections

Check Point protects its customers against attacks delivered via the Nuclear exploit kit at each stage of the redirection chain, prior to the infection, via designated protections which are integrated into our IPS blade. The protections are –

  • Nuclear Exploit Kit Landing Page – Detects and blocks typical patterns and behaviors of the kit’s landing pages.
  • Nuclear Exploit Kit Redirection – Detects and blocks typical patterns and behaviors of the kit’s redirection mechanism.

Check Point recommends its customers to set the above IPS protections on Prevent mode.