Inner Workings of Nuclear Exploit Kit Spreading Crypto-ransomware
The topic of crypto-ransomware is still fresh in the minds of consumers and enterprises all over the world. Security experts have revealed the inner workings of the Nuclear exploit kit, which keeps making waves despite attempts to shut down its original servers. It appears the creators of this kit prefer to use DigitalOcean to spread their malware to unsuspecting users.
What Makes The Nuclear Exploit Kit Tick?
As most people are well aware of, most types of crypto-ransomware are spread to computers through so-called exploit kits. Although Angler is the most common EK in that regard, Nuclear is well worth keeping an eye on as well. In fact, this particular exploit kit is rather hard to eliminate, despite the hosting company taking down the servers spreading this malware.
This is where things get fascinating, as it turns out DigitalOcean is the place-to-be for the Nuclear exploit kit creators. By deploying cheap instances serving websites with malicious code to spread the malware, these internet criminals have been successful in their attempts to spread Locky and other types of crypto-ransomware in the past few months.
Unfortunately, the server shutdown by DigitalOcean did not do much in the end, as the Nuclear operators set up new instances of their servers in mere hours. What makes their approach so brilliant in its simplicity is how they use coupon codes, which grant an x number of free hours of running a DigitalOcean instance. All it takes is a random email address and a coupon, effectively giving users a way to bypass traditional payment solutions.
Setting up the exploit kit servers is just one aspect of this story, though. The Nuclear exploit kit itself packs quite the punch under the hood, as there is a multi-tier server architecture. One master server provides automatic “updates” to console servers, which are used by paying clients to customize and distribute their payload of malware and crypto-ransomware. Every console server manages several landing page servers, which is where the real magic happens.
It is also interesting to note the Nuclear exploit kit is mostly used to target Spanish speakers, for some unknown reason. It appears as if a large portion of the traffic visiting these exploit pages were coming from a Spanish ad for adult webcams. That is not the most worrying part, however, as one particular server saw as much as 60,000 unique IP addresses accessing the platform in a single day.
At this time, it looks all but impossible for the Nuclear exploit kit to go away entirely. Disrupting the DigitalOcean servers has done absolutely nothing other than buying a small amount of time. Both Cisco and Check Point are stepping up their security to try and identify these landing pages and exploit attacks, but it will be an uphill battle, to say the least.
What are your thoughts on the inner workings of the Nuclear exploit kit? Let us know in the comments below!
Source: Ars Technica
Images courtesy of Shutterstock