Noting that the Nuclear exploit kit (EK) has been operating “largely off the radar” of late compared to its other more prolific peers, Cisco Talos Threat Researcher Nick Biasini wrote in a Wednesday blog post that the EK “has been successfully targeting and compromising users in more than 10,000 different cities in more than 150 countries” and that the bulk of activity was being hosted by DigitalOcean.
“As far as sophistication is concerned, this Nuclear exploit kit is very well organized. They went to great lengths to ensure that as little data as possible is left on the proxy servers,” Biasini told SCMagazine.com in a Wednesday email. “These exploit kits are generating millions of dollars in revenue and have really become efficient and effective in compromising users.”
While Cisco Talos found similarities to the Angler EK, the researcher said that Angler had focused its attention on 15 countries, particularly targeting users in the U.S. and U.K. But Nuclear EK “seemed to be heavily targeting outside those areas – specifically Spanish speaking countries.”
Indeed, according to the blog post, Spain accounted for nearly 20 percent of the hosts interacting in one day with a single server whose traffic Cisco Talos analyzed. “We wanted to look at how this related to the amount of native speakers globally.
About 60,000 unique IPs were connected to the server, raising questions as to how the activity has so adeptly remained hidden. “The answer was both obvious and surprising: Porn/Adult Entertainment websites,” Biasini wrote, explaining that nearly half of those IPs “were directing from a single webcam ad that was hosted on a porn site.” In a single day, Cisco Talos observed it “redirecting in excess of 25K IPs to Nuclear in a single day.” The ad had the Spanish word “chicas” in the bottom corner.
“Leveraging adult /pornographic websites isn't new to hosting malicious activity,” Biasini told SCMagazine.com. “What was surprising was how effective it is.
He called the 25,000 redirects “a lot of traffic to your exploit kit without a lot of effort or visibility.”
Similarities to the Angler EK included “proxy configurations, doing some level of health monitoring, and tracking of IP addresses,” Biasini said. In the blog post he called the health monitoring flow interesting “since it originates from the exploit server to the proxy server, which in turn directs it to the exploit server getting a response.”
