Inside the Nuclear malware-as-a-service platform

By now most CISOs know that criminals as well as corporations are leveraging software-as-a-service. This week Check Point Software released a report looking at how the Nuclear exploit kit, which it says was one of the world’s largest attack infrastructures until it shut down recently amid exposure by security researchers at Check Point and Cisco Systems.

Cisco estimated attackers using Nuclear have been successfully targeting and compromising users in more than 10,000 different cities in more than 150 countries including Canada. Check Point last month Nuclear attacked close to 1,85 million machines around the world, with almost 10 per cent of them being infected.

As the Check Point report explains, Nuclear is rented to cybercriminals for a few thousand dollars a month. Researchers discovered it had 15 active control panels (so 15 attackers could be using it at a time) suggesting organizers — suspected to be in Russia — could have been pulling in US$100,000 a month.

From the panel the subscriber can chose the malware wanted for an attack. The overwhelming majority were ransomware — often the Locky dropper — followed by banking Trojans. While Nuclear often changes exploits to evade detection, favoured platforms are Flash, JavaScript and VBscript vulnerabilities.

In operation the service provider owns the master server, which controls the 15 attacker servers. Each attacker receives his own Nuclear control panel, where the campaign can be viewed and managed. Each server has a number of landing page servers. Unsuspecting users are directed to these compromised Website servers to be infected.

Illustration from Check Point Software
Illustration from Check Point Software

These reports again underscore the importance to CISOs of either eliminating Flash from their environments or ensuring users’ computers have to click to approve a Flash download. In addition, patching for other exploits — like JavaScript and VBScript — has to be timely.

Internet service providers also have to take notice, because often they are unwitting hosts to malware as a service. Cisco researchers complied a list of around a dozen IPs that were hosting the Nuclear exploit kit. One of them helped with the take down on its servers and with data showing  how the kit operates.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now