Researchers are warning that the Nuclear exploit kit has evolved, a change evident by the rising number of software products targeted by the crimeware kit, which now takes aim at vulnerable versions of Microsoft Silverlight to spread malware.
On Tuesday, Trend Micro revealed on its blog that the number of exploits used by the kit has doubled since the beginning of the year – from three exploits (targeting Adobe PDF, Internet Explorer, and Java software) to six, which now entail Adobe Flash, Microsoft XMLDOM and Silverlight exploits.
Blog author and Trend Micro threats analyst Brooks Li detailed why criminals added a Silverlight exploit (CVE-2013-0074) in particular to the kit, saying that that addition gave saboteurs “an expanded attack surface” and the means to avoid detection “as not many security solutions have detections for this particular exploit.”
Li found that the Nuclear exploit kit will first check to see if a victim is running the web browser plug-in Silverlight.
“If the check passes, it will then attempt to use the Silverlight exploit to drop malware into the system,” Li wrote.
The exploit takes advantage of a Silverlight bug that has a patch; but since less security solutions would detect the threat (compared to exploits for ubiquitous software, like Adobe Flash or Java plug-ins for instance), users running vulnerable versions of Silverlight could be a prime target for cybercriminals.
In a Tuesday interview, Christopher Budd, global threat communications manager at Trend Micro, told SCMagazine.com that the “scatter shot approach” taken up by cybercriminals using exploit kits, is what makes crimeware kits “hard to protect [users] against.”
“If an exploit kit targets 100 vulnerabilities, and you're security software protects against 99 of [the exploits], it doesn't matter that you are running that [security] software – that software has failed you,” he later added.
The Nuclear exploit kit has been used in a number of campaigns targeting users, including an incident last November where the popular humor site Cracked.com was compromised to host the crimeware kit. In July, Symantec also warned of a Facebook scam, where users clicking work-from-home related links were eventually led to Nuclear.