The Check Point Research team has uncovered an operation that turns out to be one of the world’s largest attack infrastructures.
The malware-as-a-service (MaaS) play is being used by a cyber-criminal syndicate to use the Nuclear exploit kit to spread malware worldwide.
With 15 active Nuclear control panels, the likely Russian perpetrators behind the MaaS operation accumulates revenue of approximately $100,000 a month, according to Check Point’s estimates. In the last month alone, infrastructure was used to attack 1,846,678 machines. The success rate of these attacks was 9.95%, resulting in 184,568 newly infected machines.
EKs are a major part of the MaaS industry, which facilitates the execution of ransomware and banking trojans, among others. Their creators rent them to cyber-criminals who use them to attack unsuspecting users. Nuclear is one of the top EKs, Check Point noted, both in complexity and in spread.
“Nuclear’s infrastructure is not the work of a lone wolf,” the researchers said. “According to our findings, the leading developer is located in Krasnodar, Russia. Nuclear is rented to cyber-criminals for a few thousand dollars a month.”
The service provider owns the master server, which controls all of the attackers’ servers. Each attacker rents a server with a control panel from which he or she can manage his malware campaign, distributing any malware of choice. Each server has a number of landing page servers, to which unsuspecting users are directed to be infected. They can be directed there by malicious links in phishing mails, malvertising or hacked websites.
With the current ransomware trend, it’s not surprising to see that ransomware is the dominant payload for attackers at this moment in time. Nuclear served 110,000 Locky droppers in the inspected month, costing victims around $12.7 million.
The victims of this malicious campaign are located almost all over the globe: The researchers noted that Nuclear does not attack countries which belong to the Eastern Partnership, in order to avoid law enforcement activities against the developers.
The analysis efforts appear to have had a salubrious effect on the threat landscape. “The puppet masters were apparently startled by our findings,” the researchers said. “Following our previous publication, all known Nuclear servers were shut down.”
Photo © kentoh