Security Experts:

Sundown EK First to Integrate Exploit for Recently Patched IE Flaw

Researchers at Symantec noticed that an exploit for a recently patched vulnerability affecting Internet Explorer (CVE-2015-2444) was added to the Sundown exploit kit. Sundown is the first EK to integrate an exploit for this particular flaw.

This is a noteworthy case considering that new exploits usually show up in the more popular exploit kits first. Currently, the developers of the Angler EK seem to be the best when it comes to using recently patched and even zero-day vulnerabilities. Angler is followed by Nuclear, Neutrino, and Magnitude, whose developers have also done a good job at integrating new exploits.

A brief analysis of the Sundown EK was published in June by the French researcher known as “Kafeine.” The exploit pack was dubbed “Sundown” by William Metcalf from Emerging Threats because it had been used to target Japanese users.

Kafeine noted at the time that Sundown, which has been around since April, was in the same category as the Archie EK, based on traffic sources and level of sophistication. A different version of the same exploit kit, dubbed “Beta,” was analyzed earlier this year by researchers Aditya Sood and Rohit Bansal.

Symantec has observed watering hole attacks that leverage the Sundown EK to deliver a backdoor Trojan detected by the security firm as Trojan.Nancrat. The malware allows attackers to steal information from infected computers.

In order to deliver the Trojan to victims’ computers, Sundown attempts to exploit various vulnerabilities, including CVE-2015-2444, a critical memory corruption flaw in Internet Explorer patched by Microsoft on August 11 as part of the company’s monthly security updates.

When it patched the remote code execution security hole, Microsoft noted that the flaw had not been publicly disclosed and there wasn’t any evidence of exploitation.

The attacks monitored by Symantec mainly affect users in Japan, but some infections have also been spotted in the United States, Brazil, Canada, and the United Kingdom.

The attackers injected an iframe into a hijacked website in order to redirect users to a highly obfuscated webpage hosting the Sundown exploit kit. The kit is designed to check for the presence of certain security software, sandboxes and traffic analysis tools before dropping its exploits, Symantec said.

In the campaign observed by the security firm, Sundown also leveraged six other exploits, including four Flash Player, one Windows and one Internet Explorer exploits. These exploits were also seen by Kafeine when he analyzed Sundown back in June.

Related Reading: Just-Patched Internet Explorer Flaw Used in Watering Hole Attacks

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.