Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

ISC StormCast for Friday, December 19th 2014

Exploit Kit Evolution During 2014 - Nuclear Pack

Published: 2014-12-18
Last Updated: 2014-12-18 20:06:13 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

This is a guest diary submitted by Brad Duncan.

Nuclear exploit kit (also known as Nuclear Pack) has been around for years.  Version 2.0 of Nuclear Pack was reported in 2012 [1] [2].  Blogs like have mentioned version 3.0 of Nuclear Pack in posts during 2013 [3] [4].

This month, Nuclear Pack changed its traffic patterns.  The changes are significant enough that I wonder if Nuclear Pack is at version 4.  Or is this merely an evolution of version 3, as we've seen throughout 2014?  Let's look at the traffic.

In January 2014, traffic from Nuclear Pack was similar to what I'd seen in 2013.  Here's an example from January 24th using Java to infect a VM [5]:

2014 saw Fiesta exploit kit-style URLs from Nuclear Pack.  Also, like other exploit kits, Nuclear sent Flash and Silverlight exploits.  Here's an example from September 29th [6]:

The above example has Silverlight, Flash, PDF and IE exploits.  In each case, a payload was sent to the vulnerable VM.  The traffic consists of two TCP streams.  The images below show the separate streams and their HTTP GET requests:

These patterns are not far off from the beginning of the year.  I only saw additional exploits from Nuclear Pack that I hadn't noticed before.

In December 2014, Nuclear Pack moved to a different URL structure.  I first noticed this on a pcap from [7].  Initially, I'd mistaken the traffic for Angler exploit kit.  After reviewing the pcap in Security Onion, I realized this was Nuclear Pack.

Here's another Nuclear Pack example from 2014-12-12 [8]:

Since the change in URL patterns, Nuclear Pack is XOR-ing the malware payload.  The image below shows an example where one of payloads is XOR-ed with the ASCII string: DvnQkxI

The change in traffic patterns is fairly significant for Nuclear Pack.  I haven't found any reason on why the change occurred.  Is this merely an evolution, or do these changes indicate a new version of Nuclear Pack?


Brad Duncan is a Security Analyst at Rackspace, and he runs a blog on malware traffic analysis at












0 comment(s)
ISC StormCast for Thursday, December 18th 2014

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Is the polkit Grinch Going to Steal your Christmas?
published 1 day ago by Dr. J. (1 comment)

Certified pre-pw0ned Android Smartphones: Coolpad Firmware Backdoor
published 1 day ago by Dr. J. (0 comments)

Some Memory Forensic with Forensic Suite (Volatility plugins)
published 2 days ago by Basil (0 comments)

Safari 8.0.2 Still Supporting SSLv3 with Block Ciphers
published 3 days ago by Dr. J. (2 comments)

Customized Support Scam Supported by Typo Squatting
published 3 days ago by Dr. J. (6 comments)

Worm Backdoors and Secures QNAP Network Storage Devices
published 4 days ago by Dr. J. (3 comments)

View All Diaries →

Latest Discussions

Uptick in ssh login attempts with usernames pi and ubnt
created 1 day ago by geeknik (0 replies)

sign post
created 2 weeks ago by Anonymous (1 reply)

CTF365 strange email
created 3 weeks ago by Alex (2 replies)

Marketing automation software vulnerabilities
created 1 month ago by Anonymous (0 replies)

Odd program from Google Chrome?
created 1 month ago by xParticle (2 replies)

View All Forums →

Latest News

View All News →