Threat Management

Nuclear EK drops out of sight: Check Point

Researchers at Check Point are taking credit for knocking the Nuclear Exploit Kit out of use, saying the EK's usage has dropped to almost zero since the security company released a pair of reports that revealed its weaknesses.

However, Craig Young computer security researcher for Tripwire, while confirming that Check Point's work was a dagger into Nuclear, questioned whether it would have been smarter for Check Point to play its cards close to the vest and not go public with its findings.

In April and May Check Point issued two reports on Nuclear that went through the EK in great detail, explaining every aspect of how it operated and the company believes this revelation has helped make Nuclear useless to cybercriminals. The company said that Nuclear disappeared from their radar screen soon after the initial report was released.

"At the end of April, just a few days after our first report was published, the existing Nuclear infrastructure ceased operation entirely – all Nuclear panel instances and the master server stopped serving malicious content and responding to requests from their IP addresses, the researchers said."

Nuclear was used primarily to drop Locky ransomware. 

“We analyzed Nuclear's operation scheme and its features, including the control panel, the landing page served by the exploit kit, the master server, infection flow, exploits and other internal logics,” the Check Point research team told in an email.

Young said Nuclear's operator probably shut down to avoid any unwanted attention from security researchers.

“As Checkpoint has explained it, the master server has knowledge of all Nuclear control panels, exploit updates, and likely landing page servers.  The details in the report could allow grey hat researchers or competing criminals insight into how to locate and compromise this important central server.  The reports also provide more than enough information for security tools to very effectively detect and block attacks from the exploit kit thereby substantially reducing its effectiveness and value,” Young told in an email.

Security researcher Kafeine, who writes at the Malware Don't Need Coffee blog, also noted nuclear's disappearance and that coinciding with the Check Point report.

Check Point also cited Symantec's Latest Intelligence for May 2016 as support for its claim. In that report Symantec notes the once heavily used Nuclear was less of a threat.

“The Nuclear exploit kit, which topped April's list, has dropped out of the top five this month, likely due to research that was published in late April, shedding light on the toolkit's infrastructure and likely leading to disruptions,” Symantec wrote.

Symantec did not return a inquiry asking if the Check Point report is the one alluded to in its writings by press time.

Tripwire's Young was not sure if making this successful take public was the right approach saying the operators have most likely just moved on to conducting their criminal activities under a new name.

“In the end, this move may have temporarily reduced attacks in the wild, but in the long run, it may have also cost researchers a valuable window into the group's activities,” he said.

A few of those inside facts included in the Check Point break down was that Nuclear was developed by a leading developer located in Krasnodar, Russia and was being marketed a ransomware as a service for several thousand dollars per month, which Check Point believes generated about $100,000 per month in revenue for the perpetrator.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.