Connect with us

Hi, what are you looking for?



Edge Exploits Added to Sundown EK

The maintainers of the Sundown exploit kit have started using two Microsoft Edge vulnerabilities just a few days after researchers published a proof-of-concept (PoC) exploit.

The maintainers of the Sundown exploit kit have started using two Microsoft Edge vulnerabilities just a few days after researchers published a proof-of-concept (PoC) exploit.

The Edge flaws tracked as CVE-2016-7200 and CVE-2016-7201, which Microsoft patched with one of its November 2016 security bulletins (MS16-129), have been described as memory corruptions caused by how the Chakra JavaScript scripting engine handles objects.

Microsoft has warned that the security holes can be exploited by a remote attacker to execute arbitrary code in the context of the current user by getting the victim to access a specially crafted website.

On January 4, researchers at Austin, TX.-based security R&D startup Theori announced the availability of a PoC exploit for CVE-2016-7200 and CVE-2016-7201. Two days later, the French security researcher known as Kafeine reported seeing the exploits being used by the Sundown exploit kit.

The expert said on Friday that the exploits would likely be integrated into other kits within a matter of hours or days. However, Kafeine told SecurityWeek that, as of Monday morning, he had not spotted the exploits in other EKs.

In the recent attacks observed by Kafeine, Sundown had been used to deliver ZLoader. Over the past weeks, the researcher has also spotted Sundown delivering payloads such as Zeus Panda, Dreambot, Chthonic, Andromeda, Neutrino Bot, Betabot, Smokebot, Remcos, Kronos and a cryptocurrency miner.

This is not the first time cybercriminals have abused a PoC exploit made available by Theori. The same thing happened last summer, when the developers of the Neutrino exploit kit adapted a PoC for CVE-2016-0189 that had been created by the company.

Advertisement. Scroll to continue reading.

Kafeine has pointed out that the EK ecosystem has been “struggling to stay in shape” after it lost Angler, which he called its “innovation locomotive.” The expert said nearly six months have passed without any new exploits being added to EKs.

Sundown attracted the attention of the community in August 2015, when it was the first to integrate an exploit for an Internet Explorer vulnerability. Following the disappearance of bigger players such as Angler, Nuclear, Neutrino and Magnitude, it has become one of the top exploit kits and its authors continue to improve it.

Trend Micro researchers recently noticed that Sundown, which had typically not made an effort to hide its exploits, started using steganography to disguise malicious code in image files.

Related: Sundown Exploit Kit Outsources Coding Work

Related: Massive Malvertising Campaigns Hit Sites Worldwide

Related: Flash Player Remains Main Target of Exploit Kits

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.