Cisco's Talos Group found that Nuclear Exploit Kit (EK) operators are leveraging new tactics to try to obfuscate the threat's payload delivery process.
Researcher Nick Biasini published a blog post Tuesday on recent attacks, specifically noting how the Nuclear campaign used domain shadowing and HTTP 302 cushioning “prevalent in Angler,” a competitor exploit kit, to hide its activities.
Domain shadowing is a technique where “threat actors use compromised registrant accounts to create large amounts of malicious subdomains,” he explained, while 302 cushioning allows miscreants to use HTTP 302 redirects over iframes to circumvent signature-based intrusion detection systems.
“The interesting part is that this appears to be a work in progress,” Biasini said, adding that attacks initially directed users to broken links, then eventually to Nuclear where malicious flash files failed to compromise systems. “Once this gets completed it will be a threat worth watching,” he said.