Malware

Nuclear operators work to stiffen exploit kit competition

Cisco's Talos Group found that Nuclear Exploit Kit (EK) operators are leveraging new tactics to try to obfuscate the threat's payload delivery process.

Researcher Nick Biasini published a blog post Tuesday on recent attacks, specifically noting how the Nuclear campaign used domain shadowing and HTTP 302 cushioning “prevalent in Angler,” a competitor exploit kit, to hide its activities.

Domain shadowing is a technique where “threat actors use compromised registrant accounts to create large amounts of malicious subdomains,” he explained, while 302 cushioning allows miscreants to use HTTP 302 redirects over iframes to circumvent signature-based intrusion detection systems.

“The interesting part is that this appears to be a work in progress,” Biasini said, adding that attacks initially directed users to broken links, then eventually to Nuclear where malicious flash files failed to compromise systems. “Once this gets completed it will be a threat worth watching,” he said.

Related

Rootkit capabilities likely with Windows bugs

Several rootkit-like capabilities could be obtained by threat actors through the exploitation of vulnerabilities in Windows' DOS-to-NT path conversion process, including file and process concealment and compromised prefetch file analysis, reports The Hacker News.

Abusing GitHub flaw could compromise GitLab

Open-source DevOps software project GitLab has also been impacted by the same security issue in GitHub comments that has been exploited by threat actors through Microsoft repository-linked URLs to facilitate the distribution of malware that was made to seem to originate from credible entities' official source code repositories, according to BleepingComputer.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.