Inside Nuclear’s Core: Unraveling a Ransomware-as-a-Service Infrastructure

The Check Point Research team has uncovered the entire operation of one of the world’s largest attack infrastructures. Exploit Kits are a major part of the Malware-as-a-Service industry, which facilitate the execution of ransomware and banking trojans, among others. Their creators rent them to cybercriminals who use them to attack unsuspecting users. Nuclear is one of the top Exploit Kits, both in complexity and in spread.

We offer you the Inside Nuclear’s Core: Unraveling a Malware-as-a-Service Infrastructure report, a unique, first-of-its-kind view into the heart of a cybercriminal syndicate. First, we review the Malware-as-a-Service infrastructure, created by the Exploit Kit’s developers. Second, we inspect the attackers’ use of the Nuclear foundation to spread malware worldwide. We also review the effect these campaigns have on the victims, and assess the damage caused by the perpetrators.

The puppet masters behind the scenes

Nuclear’s infrastructure is not the work of a lone wolf. According to our findings, the leading developer is located in Krasnodar, Russia. Nuclear is rented to cybercriminals for a few thousand dollars a month. We found 15 active Nuclear control panels. Doing the math, we can infer that the perpetrator behind Nuclear’s operation accumulates revenue of approximately $100,000 a month. We were also able to analyze the inner working of the Exploit Kit, including the actual source code and the exploits it uses.

The puppet masters were apparently startled by our findings. Following our previous publication, all known Nuclear servers were shut down.

Meet the tenants

Each attacker rents a server with a control panel from which he can manage his malware campaign. The attacker uses Nuclear to distribute any malware he wishes. Below is an example of one of the attacker’s control panel, providing various statistics.

With the current ransomware trend, it’s not surprising to see that ransomware is the dominant payload for attackers.

Monetizing: the victims

The victims of this malicious campaign are located all over the globe, as can be seen in the figure below. Nuclear does not attack countries which belong to the Eastern Partnership, in order to avoid law enforcement activities against the developers. In the last month alone, Nuclear attacked 1,846,678 machines. The success rate of these attacks was 9.95%, resulting in 184,568 infected machines.

For the victims, the end result is an infection by malware.

Below is a ransomware notice from Locky we analyzed a few months ago served by Nuclear.

Nuclear served 110,000 Locky droppers in the inspected month, costing victims around $12,650,000.[i]

So, how does it work?

The service provider owns the master server, which controls all of the attackers’ servers. Each attacker receives his own Nuclear control panel, where he can view and manage his malicious campaign. Each server has a number of landing page servers. Unsuspecting users are directed to these servers to be infected [i]. A low ransom demand by Locky ransomware is 0.5 BitCoins or $230. According to a Bitdefender’s research, about half of all American victims pay the ransom demand.

This diagram shows the infection flow.

As depicted above, the process is as follows:

1. The user accesses a compromised website.
2. The websites refers the user to the TDS (Traffic Distribution Service).
3. The TDS asks the attacker’s Nuclear panel for a landing page server.
4. The user is redirected to the landing page server.
5. The landing page server relays the traffic to the panel.
6. The user is served with the exploit.
7. If the exploitation is successful, the user receives the malicious payload from the server.

All of this occurs in a matter of seconds. The user is infected without noticing anything is wrong, or even clicking a link. Even sticking only to well-known or trusted sites does not ensure the user’s safety, as seen in the latest Malvertising campaigns.

Analyzing Nuclear

In our previous publication, we began unraveling the Nuclear Exploit Kit. We reviewed various aspects of Nuclear’s activity, including the control panel used by attackers, the general flow of its operation, the URL logic, the landing page, and the vulnerabilities the Exploit Kit uses to infiltrate machines.

In this report we analyze the missing links. We explore the master server, the infection flow in detail, and more internal logic such as delivering the payloads. Understanding Nuclear’s tactics in full will help security vendors to tackle it, and even defeat it completely. Check Point strives to provide the best understanding and protection by actively tackling the attackers, and keeping users one step ahead of malware.

[1] A low ransom demand by Locky ransomware is 0.5 BitCoins, or 230$. According to a Bitdefender’s research, about half of all American victims pay the ransom demand.