By Dancho Danchev
In times when the market leading Black Hole Exploit Kit continues to gain market share, competing products are prone to emerge. What is the competition up to? Has it managed to differentiate itself from the market leading product or is it basically a “me too” exploit kit lacking any significant features worth emphasizing on?
In this post, I’ll profile the recently advertised Nuclear Exploit Pack v.2.0, elaborate on its features, and discuss whether or not it has the potential to outpace the market leader (Black Hole Exploit Kit) in terms of market share.
Screenshots of the Nuclear Exploit Pack’s latest version:
As you can see in the above screenshot, the cybercriminal that’s advertising the availability of the second version of the Nuclear Exploit Pack is currently busy managing six unique malicious campaigns. The first campaign has already managed to infect 1,194 hosts, the majority of which are running Windows 7 and using Internet Explorer 9.0.
Second screenshot of the Nuclear Exploit Pack v2.0 in action:
The second screenshot shows the cybercriminal has also managed to exploit 3,132 users located in Italy, running outdated versions of Microsoft’s Internet Explorer browser, with Windows XP.
Third screenshot of the Nuclear Exploit pack in action:
The third screenshot shows the statistics from yet another malicious campaign operated by the cybercriminal behind the Nuclear Exploit Pack. It shows that 345 hosts have been infected, the majority of which are running Windows 7 and Microsoft’s Internet Explorer 8.0
Fourth screenshot of the Nuclear Exploit pack v2.0 in action:
The fourth screenshot indicates that 166 hosts were exploited, the majority of which are still running Windows XP and Microsoft’s Internet Explorer 8.0. What also makes an impression is that despite the fact that the cybercriminal behind the exploit kit has blurred the referrers for all the campaigns, he did not blur the actual MD5s used in these campaigns.
Associated campaign MD5s thanks to the OPSEC-unaware fact that the cybercriminal behind the exploit kit didn’t bother blurring them:
MD5: 80c8eac98ebcbc5019c19e3da0b02cd6 - detected by 25 out of 41 antivirus scanners as Trojan-Ransom.Win32.ZedoPoo.il
MD5: 104296602e7754bc88edd60002eacb06 - detected by 27 out of 42 antivirus scanners as HEUR:Trojan.Win32.Generic
MD5: 3c07ed1a4c3f98d01d06e57bad5e2491 - detected by 17 out of 42 antivirus scanners as Win32:Spyware-gen [Spy]
MD5: 94a3485f33b25cf27acd4bc9d6eefc77 - detected by 23 out of 42 antivirus scanners as Trojan-Spy.Win32.Zbot.dswl
What differentiates this cybercrime ecosystem advertisement is the fact that the cybercriminal behind it is using “risk-forwarding” tactics in an attempt to mitigate the risk posed by the criminal nature of the kit. They achieve this by introducing a Terms of Service (TOS) that everyone must agree to before using their product.
The TOS forbids the following practices:
- Actions that would violate the law of the Russian Federation
- Acquisition of traffic using spam emails
- iFrame-based traffic acquisition practices are forbidden
- Testing the software on public services such as, for instance, VirusTotal
- Offering Cybercrime-as-a-Service business services using the kit
- Developing an affiliate program using the exploit kit
What about the prices for purchasing access to the exploit kit? Here they are:
Prices for acquiring traffic obtained through compromised sites, spamvertised social engineering centered email campaigns, and black hat SEO:
50k / day limit / 1 month – 500 wmz
100k / day limit / 1 month – 800 wmz
200k / day limit / 1 month – 1200 wmz
300k / day limit / 1 month – 1600 wmz
50k / day limit / 2 week – 300 wmz
100k / day limit / 2 week – 500 wmz
200k / day limit / 2 week – 700 wmz
300k / day limit / 2 week – 900 wmz
100k / day limit / 1 week – 300 wmz
200k / day limit / 1 week – 400 wmz
300k / day limit / 1 week – 500 wmz
If potential customers are only interested in testing the exploit kit, they can do so for a period of 24 hours, and pay just 50 wmz.
Is the Nuclear Exploit Pack a potential market leader in the long term, or will it basically turn into a market follower in a marketplace where the Black Hole Exploit kit remains the definite market leader? Although the kit is taking advantage of recent Java vulnerabilities, compared to the Black Hole Exploit kit, it’s lacking major OPSEC (operational security) features. This makes it much easier to analyze compared to the latest version of the Black Hole Exploit kit v2.0 that introduced a variety of features making the campaigns harder to detect and analyze by vendors and security researchers.
We’ll continue monitoring the development of the kit.
Webroot SecureAnywhere users are proactively protected from these threats.