Exploit Kit Hides with Tor

Friday, April 15, 2016 @ 03:04 PM gHale

As attacks get more sophisticated and the amount of money generated becomes more bountiful, exploit kit developers are getting more creative.

Take the Nuclear exploit kit as a perfect example as its developers introduced a final payload that downloads via the Tor network, which makes it more difficult for security professionals to track.

Hacking Costs on Decline
Patching Tool Under Scrutiny
Corporate iOS Devices Targeted
iOS Zero Day in iMessage Encryption

The attack observed by researchers at Cisco Talos starts with a compromised website that acts as the exploit kit gate. When users access this site, they are redirected to a landing page via a technique called “302 cushioning.”

302 cushioning takes advantage of HTTP 302 redirects to automatically take victims to malicious websites. By using 302 redirects, which are less likely to raise suspicion, attackers increase their chances of evading detection by security systems.

The landing page probes the victim’s system to determine if it can attack and then delivers the exploit page.

In the Nuclear EK case, attackers leveraged an Adobe Flash Player vulnerability to push the payload, the researchers said. Exploit code for the patched Flash flaw tracked as CVE-2016-1019 was in the Nuclear exploit kit.

What makes this instance of Nuclear interesting is it drops a Tor client for Windows. The client file, named “tor.exe,” is executed and a request is made via the Tor anonymity network to download a secondary payload.

“We looked at the Tor traffic and were able to find several domains listed in the network traffic. None of these domains have ever been registered and we were not able to find any DNS traffic associated with them. There also appears to be several time stamps from both 2016 and 2015 included as well,” Cisco’s Nick Biasini said in a blog post.

By using Tor to download a second payload instead of directly dropping a malicious executable, attackers make it difficult to track the malware back to the hosting system.

“The amount of money involved in the current exploit kit landscape is mind blowing,” Biasini said. “This allows our adversaries to hire professional development teams which continue to evolve the threat landscape. This is a recent example of Nuclear adjusting to compete with the sophistication of exploit kits like Angler. As they become more effective at delivering payloads and bypassing security devices, their profits will continue to rise. This will create a feedback mechanism continuing the EK’s evolution, much like we have already seen with ransomware.”