For this blog, we'd like to walk you through a recent attack involving Nuclear Exploit Kit (EK) that we analyzed. It was found leveraging CVE-2014-0515, a buffer overflow in Adobe Flash Player discovered in April 2014.
Nuclear Exploit kit targets a number of known vulnerabilities including:
Although there are other associated vulnerabilities that are being exploited by Nuclear Exploit kit, we will limit this blog post to reviewing the Flash exploitation (CVE-2014-0515).
Nuclear EK Landing
Unlike other EKs such as RIG, Nuclear EK's landing page code is highly obfuscated.
After de-obfuscation, the page looks as follows:
Nuclear EK's landing page checks for the following antivirus (AV) driver files and if finds any, terminates the exploitation process. We have seen these checks before in RIG EK too.
CVE-2014-0515 exploit analysis
Here is the code that dynamically creates a new Flash Object:
The Flash exploit payload that gets downloaded is highly obfuscated to evade AV detection. Below is a snippet of decompiled code from this Flash exploit:
There are two hard coded snippets of obfuscated shellcode in the action script as seen below:
After de-obfuscating on the run time, it adds bytecode to a Shader Object from one of the de-obfuscated shell code snippets.
Nuclear Exploit kit targets a number of known vulnerabilities including:
- pdf - PDF:Exploit.PDF-JS
- swf - CVE-2014-0515
- jar - CVE-2012-0507
| FILE TYPE | MD5 | SIZE | CVE/THREAT | VT HITS |
| FLASH | A1465ECE32FA3106AA88FD666EBF8C78 | 5614 | CVE-2014-0515 | 18 / 53 |
| JAR | A93F603A95282B80D8AFD3F23C4D4889 | 12396 | CVE-2012-0507 | 26 / 54 |
| 19ED55EF17A49451D8052D0B51C66239 | 9770 | Exploit.PDF-JS | 22 / 54 | |
| EXE | 8BCE8A59F9E789BEFB9D178C9A03FB66 | 104960 | Win32/Zemot | 39 / 53 |
Although there are other associated vulnerabilities that are being exploited by Nuclear Exploit kit, we will limit this blog post to reviewing the Flash exploitation (CVE-2014-0515).
Nuclear EK Landing
Unlike other EKs such as RIG, Nuclear EK's landing page code is highly obfuscated.
(Fig 1: Obfuscated Landing Page)
After de-obfuscation, the page looks as follows:
(Fig 2: De-Obfuscated Landing Page)
Nuclear EK's landing page checks for the following antivirus (AV) driver files and if finds any, terminates the exploitation process. We have seen these checks before in RIG EK too.
(Fig 3: Check for AV driver files)
If this AV check is passed, a javascript function then checks the installed Flash version and if a vulnerable version is detected on the client's browser, a call is then made to a dynamic Flash object creation module. 
If this AV check is passed, a javascript function then checks the installed Flash version and if a vulnerable version is detected on the client's browser, a call is then made to a dynamic Flash object creation module.
(Fig 4: Flash Call)
Here are the vulnerable Flash player checks:
(Fig 5: Checks if vulnerable version installed)
If the version check passes, the Flash exploitation process will commence as seen below.CVE-2014-0515 exploit analysis
Here is the code that dynamically creates a new Flash Object:
(Fig 6: Flash Object Creation)
The Flash exploit payload that gets downloaded is highly obfuscated to evade AV detection. Below is a snippet of decompiled code from this Flash exploit:
(Fig 7: Decompiled Flash File)
(Fig x1,x2: Raw Shellcodes)
After de-obfuscating on the run time, it adds bytecode to a Shader Object from one of the de-obfuscated shell code snippets.
(Fig 8: Shader Byte Code Filler)
Exploit kits generally make use of known vulnerabilities and Flash is a popular target. CVE-2014-0515 in particular targets a Flash vulnerability in Flash versions before 11.7.700.279 and 11.8.x through 13.0.x before 13.0.0.206 on Windows and OS X, and before 11.2.202.356 on Linux. It's critical to ensure that your employees aren't running outdated versions of Flash as it is commonly targeted by EKs.
References:
The Shader's Pixel Bender is where this malformed byte code is written, which triggers the vulnerability.
Here is the Malformed byte code:
(Fig 9: Malformed data for Pixel Shader)
Disassembling Pixel Bender's byte code
We used Tinc Uro's program to get the PixelBender binary data decompiled.
(Fig 10: Decompiled PixelBender data)
We can see the inappropriate content here. The Shader Object takes a float parameter whose default value is set to a matrix of 4x4 floats and the second float value of this matrix is invalid value triggering the vulnerability.
Conclusion
Since the downfall of the popular Blackhole Exploit Kit, we have seen the advent of many new Exploit Kits. Nuclear Exploit Kit definitely ranks in the Top 5 prevalent EKs in the wild at the moment. We have seen an increasing number of compromised sites and scam pages leading to Nuclear Exploit Kit in past three months. Some of the notable compromised sites during this time frame that were redirecting to Nuclear EK includes:
SocialBlade.com - A youtube statistics tracking site.
AskMen.com - Men's entertainment website
Facebook.com survey scam pages
Since the downfall of the popular Blackhole Exploit Kit, we have seen the advent of many new Exploit Kits. Nuclear Exploit Kit definitely ranks in the Top 5 prevalent EKs in the wild at the moment. We have seen an increasing number of compromised sites and scam pages leading to Nuclear Exploit Kit in past three months. Some of the notable compromised sites during this time frame that were redirecting to Nuclear EK includes:
SocialBlade.com - A youtube statistics tracking site.
AskMen.com - Men's entertainment website
Facebook.com survey scam pages
Exploit kits generally make use of known vulnerabilities and Flash is a popular target. CVE-2014-0515 in particular targets a Flash vulnerability in Flash versions before 11.7.700.279 and 11.8.x through 13.0.x before 13.0.0.206 on Windows and OS X, and before 11.2.202.356 on Linux. It's critical to ensure that your employees aren't running outdated versions of Flash as it is commonly targeted by EKs.
References:
- http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/
- http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Paper.pdf
- http://www.kaourantin.net/2008/09/pixel-bender-pbj-files.html
- http://www.free-decompiler.com/flash/download.html
- http://malware-traffic-analysis.net/
