Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Edge Exploits Added to Sundown EK

The maintainers of the Sundown exploit kit have started using two Microsoft Edge vulnerabilities just a few days after researchers published a proof-of-concept (PoC) exploit.

The maintainers of the Sundown exploit kit have started using two Microsoft Edge vulnerabilities just a few days after researchers published a proof-of-concept (PoC) exploit.

The Edge flaws tracked as CVE-2016-7200 and CVE-2016-7201, which Microsoft patched with one of its November 2016 security bulletins (MS16-129), have been described as memory corruptions caused by how the Chakra JavaScript scripting engine handles objects.

Microsoft has warned that the security holes can be exploited by a remote attacker to execute arbitrary code in the context of the current user by getting the victim to access a specially crafted website.

On January 4, researchers at Austin, TX.-based security R&D startup Theori announced the availability of a PoC exploit for CVE-2016-7200 and CVE-2016-7201. Two days later, the French security researcher known as Kafeine reported seeing the exploits being used by the Sundown exploit kit.

The expert said on Friday that the exploits would likely be integrated into other kits within a matter of hours or days. However, Kafeine told SecurityWeek that, as of Monday morning, he had not spotted the exploits in other EKs.

In the recent attacks observed by Kafeine, Sundown had been used to deliver ZLoader. Over the past weeks, the researcher has also spotted Sundown delivering payloads such as Zeus Panda, Dreambot, Chthonic, Andromeda, Neutrino Bot, Betabot, Smokebot, Remcos, Kronos and a cryptocurrency miner.

This is not the first time cybercriminals have abused a PoC exploit made available by Theori. The same thing happened last summer, when the developers of the Neutrino exploit kit adapted a PoC for CVE-2016-0189 that had been created by the company.

Kafeine has pointed out that the EK ecosystem has been “struggling to stay in shape” after it lost Angler, which he called its “innovation locomotive.” The expert said nearly six months have passed without any new exploits being added to EKs.

Advertisement. Scroll to continue reading.

Sundown attracted the attention of the community in August 2015, when it was the first to integrate an exploit for an Internet Explorer vulnerability. Following the disappearance of bigger players such as Angler, Nuclear, Neutrino and Magnitude, it has become one of the top exploit kits and its authors continue to improve it.

Trend Micro researchers recently noticed that Sundown, which had typically not made an effort to hide its exploits, started using steganography to disguise malicious code in image files.

Related: Sundown Exploit Kit Outsources Coding Work

Related: Massive Malvertising Campaigns Hit Sites Worldwide

Related: Flash Player Remains Main Target of Exploit Kits

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...