After our recent blog post about an encrypted Flash exploit, we went back to analyze some more of these exploit files. We took some of the newer exploit recordings available on a malware aggregation site, and tried to decrypt them using the same Diffie-Hellman protocol that had worked for us before. We discovered that enough time had gone by that the Nuclear Exploit Kit team had already upped their game, and the brute force decryption did not work anymore. So what’s a researcher to do?
We went off in search of new exploit files that we could find in the wild. We started with some of the known compromised sites, to see the latest malicious files the hackers are churning out. Sure enough, some of them were still compromised. But the Exploit Kit URL had been modified together with its pattern. In fact, lots of parameters had changed.
In order to bypass most security solutions, we observed that Nuclear Exploit Kit randomly polymorphs the delivered malicious files throughout the day; the URLs and URL patterns are continuously changed; the kit’s host server, which holds the encryption key, changes; and the encryption changes for each access, that is, the exploit is delivered only once to a single IP.
These are all obfuscation attempts, to ensure that endpoint protection solutions will not be able to stop the exploits. Hackers move at warp speed to overcome most defenses enterprises can throw in their way. By concealing their tracks so thoroughly through this constant dance of new code, new servers, new exploits, they can bypass most:
And they make it extremely challenging to reproduce the attack, since they work just once and then disappear.
The exploits we researched take advantage of a vulnerability that have been patched by Flash. But this doesn’t mean you can relax, since an Exploit Kit that generates new, sophisticated variants on the fly with a formula of “changing encryption + changing servers + changing files + changing whatever else” can leverage any type of zero day exploit. You should consider implementing a solution that is indifferent to these attempts to hide the exploit.
And now for some technical details…
While searching for exploits on http://www.malware-traffic-analysis.net/ we wanted see if one of the malvertising sites is still active, but what we found was quite interesting:
kristydebono.com & ima-hospital.com & egsrentacar.com, those sites have been previously compromised by Nuclear Exploit Kit (we chose to focus on Nuclear although few other sites also are still compromised after two weeks, they deliver the Rig Exploit Kit with a less sophisticated delivery method).
Exploit Kit developers are still several steps ahead of traditional security companies where attacks can go unnoticed for an ever longer period of time. These findings show, for the first time, an Exploit Kit that automatically generates the exploit code on the fly. On every infection attempt, the Exploit Kit creates a new form of attack in a non-deterministic and polymorphic way. This rising level of sophistication poses a serious threat and barrier even for some next generation security products that rely on historical knowledge about attack behavioral patterns. Only attack-agnostic solutions such as Morphisec can cope with this new threat.
NUCLEAR EK TIME X+1
Some malicious files that have been recorded during the campaign:
Some VirusTotal snapshots – known one actually recognizes it as Exploit
Hex Diff for the swf delivered within 1 hour difference by the same Nuclear EK:
Decompiled Diff for the swf delivered one hour later by the same Nuclear EK:
Morphisec Dump records identify the exploit and the vector corruption (without having the exploit decrypted):
The corrupted vector (size 4GB):
