The Nuclear exploit kit has been spotted throwing ransomware CryptoWall 4.0 at innocent netizens' machines, according to a security researcher Brad Duncan, who stated it is the first time he's noticed that particular nasty being distributed by an exploit kit.
While not as vicious a beast as Angler, the Nuclear kit remains popular with cyber-criminals, and was used earlier this year to mangle Google advertisements.
Brad Duncan, a security researcher at Rackspace, wrote that although samples of CryptoWall 4.0 have been spotted in the wild since 2 November, they were all "associated with malicious spam. Until now, I haven't noticed CryptoWall 4.0 from any EKs. And now I've only seen it from the BizCN gate actor."
The BizCN gate actor was dubbed thus by Duncan as it "uses another server to act as a 'gate' between the compromised website and its EK server. I've been calling this criminal group the 'BizCN gate actor' because domains it uses for the gate have all been registered through the Chinese registrar BizCN, always with privacy protection."
This seems to be the first time an exploit kit has been documented flinging the CryptoWall 4.0 ransomware, with 3.0 being far more commonly used.
Duncan's in-depth analysis concluded with the note that his publicising the BizCN gate actor's tactics may force them to change. "However, unless this actor initiates a drastic change, it can always be found again. Expect another diary on this subject if any significant changes occur."
The Nuclear EK operates by exploiting vulnerabilities in Java, Acrobat Reader, Flash, and Silverlight. Users of such software should ensure they are keeping everything up to date. ®