Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Sundown EK First to Integrate Exploit for Recently Patched IE Flaw

Researchers at Symantec noticed that an exploit for a recently patched vulnerability affecting Internet Explorer (CVE-2015-2444) was added to the Sundown exploit kit. Sundown is the first EK to integrate an exploit for this particular flaw.

Researchers at Symantec noticed that an exploit for a recently patched vulnerability affecting Internet Explorer (CVE-2015-2444) was added to the Sundown exploit kit. Sundown is the first EK to integrate an exploit for this particular flaw.

This is a noteworthy case considering that new exploits usually show up in the more popular exploit kits first. Currently, the developers of the Angler EK seem to be the best when it comes to using recently patched and even zero-day vulnerabilities. Angler is followed by Nuclear, Neutrino, and Magnitude, whose developers have also done a good job at integrating new exploits.

A brief analysis of the Sundown EK was published in June by the French researcher known as “Kafeine.” The exploit pack was dubbed “Sundown” by William Metcalf from Emerging Threats because it had been used to target Japanese users.

Kafeine noted at the time that Sundown, which has been around since April, was in the same category as the Archie EK, based on traffic sources and level of sophistication. A different version of the same exploit kit, dubbed “Beta,” was analyzed earlier this year by researchers Aditya Sood and Rohit Bansal.

Symantec has observed watering hole attacks that leverage the Sundown EK to deliver a backdoor Trojan detected by the security firm as Trojan.Nancrat. The malware allows attackers to steal information from infected computers.

In order to deliver the Trojan to victims’ computers, Sundown attempts to exploit various vulnerabilities, including CVE-2015-2444, a critical memory corruption flaw in Internet Explorer patched by Microsoft on August 11 as part of the company’s monthly security updates.

When it patched the remote code execution security hole, Microsoft noted that the flaw had not been publicly disclosed and there wasn’t any evidence of exploitation.

The attacks monitored by Symantec mainly affect users in Japan, but some infections have also been spotted in the United States, Brazil, Canada, and the United Kingdom.

Advertisement. Scroll to continue reading.

The attackers injected an iframe into a hijacked website in order to redirect users to a highly obfuscated webpage hosting the Sundown exploit kit. The kit is designed to check for the presence of certain security software, sandboxes and traffic analysis tools before dropping its exploits, Symantec said.

In the campaign observed by the security firm, Sundown also leveraged six other exploits, including four Flash Player, one Windows and one Internet Explorer exploits. These exploits were also seen by Kafeine when he analyzed Sundown back in June.

Related Reading: Just-Patched Internet Explorer Flaw Used in Watering Hole Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.