A new version of the Sundown exploit kit uses a technique called steganography to hide its exploits in harmless-looking image files, Trend Micro reported on Thursday.
Steganography, the practice of hiding information within a file, has been increasingly used by malicious actors, including in the malvertising campaigns conducted recently by the AdGholas and GooNky groups.
According to Trend Micro, GooNky has attempted to hide its malvertising traffic by appending malicious code to the end of image files. AdGholas has used a more sophisticated technique through the Astrum (Stegano) exploit kit.
The attackers encoded a script in the alpha channel of an image. By abusing the alpha channel, which defines pixel transparency, cybercriminals could deliver their malicious code via rogue ads that looked like legitimate ads with a slightly different color.
A similar technique has been observed in a Sundown update spotted by Trend Micro on December 27. This update attracted the attention of researchers as Sundown had previously not made an effort to hide its exploits.
“In this updated version, the exploit kit’s malvertisement creates a hidden iframe that automatically connects to the Sundown landing page,” explained Trend Micro threat analysts. “The page will retrieve and download a white PNG image. It then decodes the data in this PNG file to obtain additional malicious code.”
In the attacks analyzed by the security firm, cybercriminals used PNG images to disguise various exploits, including ones targeting Internet Explorer (CVE-2015-2419, CVE-2016-0189) and Flash Player (CVE-2016-4117).
The updated version of Sundown has been used in several malvertising campaigns, with more than half of victims located in Japan, Canada, France and the United States. One of the pieces of malware delivered in these operations was the Chthonic banking Trojan.
Sundown attracted the attention of researchers in August 2015, when it was the first to integrate an exploit for a recently patched Internet Explorer vulnerability. Following the disappearance of bigger players such as Angler, Nuclear, Neutrino and Magnitude, it has become one of the top exploit kits.
One of the recent major campaigns leveraging Sundown – along with the RIG exploit kit – delivered CryLocker ransomware. In these attacks, cybercrooks used PNG files to exfiltrate information from infected systems.