Security Experts:

Edge Exploits Added to Sundown EK

The maintainers of the Sundown exploit kit have started using two Microsoft Edge vulnerabilities just a few days after researchers published a proof-of-concept (PoC) exploit.

The Edge flaws tracked as CVE-2016-7200 and CVE-2016-7201, which Microsoft patched with one of its November 2016 security bulletins (MS16-129), have been described as memory corruptions caused by how the Chakra JavaScript scripting engine handles objects.

Microsoft has warned that the security holes can be exploited by a remote attacker to execute arbitrary code in the context of the current user by getting the victim to access a specially crafted website.

On January 4, researchers at Austin, TX.-based security R&D startup Theori announced the availability of a PoC exploit for CVE-2016-7200 and CVE-2016-7201. Two days later, the French security researcher known as Kafeine reported seeing the exploits being used by the Sundown exploit kit.

The expert said on Friday that the exploits would likely be integrated into other kits within a matter of hours or days. However, Kafeine told SecurityWeek that, as of Monday morning, he had not spotted the exploits in other EKs.

In the recent attacks observed by Kafeine, Sundown had been used to deliver ZLoader. Over the past weeks, the researcher has also spotted Sundown delivering payloads such as Zeus Panda, Dreambot, Chthonic, Andromeda, Neutrino Bot, Betabot, Smokebot, Remcos, Kronos and a cryptocurrency miner.

This is not the first time cybercriminals have abused a PoC exploit made available by Theori. The same thing happened last summer, when the developers of the Neutrino exploit kit adapted a PoC for CVE-2016-0189 that had been created by the company.

Kafeine has pointed out that the EK ecosystem has been “struggling to stay in shape” after it lost Angler, which he called its “innovation locomotive.” The expert said nearly six months have passed without any new exploits being added to EKs.

Sundown attracted the attention of the community in August 2015, when it was the first to integrate an exploit for an Internet Explorer vulnerability. Following the disappearance of bigger players such as Angler, Nuclear, Neutrino and Magnitude, it has become one of the top exploit kits and its authors continue to improve it.

Trend Micro researchers recently noticed that Sundown, which had typically not made an effort to hide its exploits, started using steganography to disguise malicious code in image files.

Related: Sundown Exploit Kit Outsources Coding Work

Related: Massive Malvertising Campaigns Hit Sites Worldwide

Related: Flash Player Remains Main Target of Exploit Kits

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.