Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Sundown EK First to Integrate Exploit for Recently Patched IE Flaw

Researchers at Symantec noticed that an exploit for a recently patched vulnerability affecting Internet Explorer (CVE-2015-2444) was added to the Sundown exploit kit. Sundown is the first EK to integrate an exploit for this particular flaw.

Researchers at Symantec noticed that an exploit for a recently patched vulnerability affecting Internet Explorer (CVE-2015-2444) was added to the Sundown exploit kit. Sundown is the first EK to integrate an exploit for this particular flaw.

This is a noteworthy case considering that new exploits usually show up in the more popular exploit kits first. Currently, the developers of the Angler EK seem to be the best when it comes to using recently patched and even zero-day vulnerabilities. Angler is followed by Nuclear, Neutrino, and Magnitude, whose developers have also done a good job at integrating new exploits.

A brief analysis of the Sundown EK was published in June by the French researcher known as “Kafeine.” The exploit pack was dubbed “Sundown” by William Metcalf from Emerging Threats because it had been used to target Japanese users.

Kafeine noted at the time that Sundown, which has been around since April, was in the same category as the Archie EK, based on traffic sources and level of sophistication. A different version of the same exploit kit, dubbed “Beta,” was analyzed earlier this year by researchers Aditya Sood and Rohit Bansal.

Symantec has observed watering hole attacks that leverage the Sundown EK to deliver a backdoor Trojan detected by the security firm as Trojan.Nancrat. The malware allows attackers to steal information from infected computers.

In order to deliver the Trojan to victims’ computers, Sundown attempts to exploit various vulnerabilities, including CVE-2015-2444, a critical memory corruption flaw in Internet Explorer patched by Microsoft on August 11 as part of the company’s monthly security updates.

When it patched the remote code execution security hole, Microsoft noted that the flaw had not been publicly disclosed and there wasn’t any evidence of exploitation.

The attacks monitored by Symantec mainly affect users in Japan, but some infections have also been spotted in the United States, Brazil, Canada, and the United Kingdom.

The attackers injected an iframe into a hijacked website in order to redirect users to a highly obfuscated webpage hosting the Sundown exploit kit. The kit is designed to check for the presence of certain security software, sandboxes and traffic analysis tools before dropping its exploits, Symantec said.

In the campaign observed by the security firm, Sundown also leveraged six other exploits, including four Flash Player, one Windows and one Internet Explorer exploits. These exploits were also seen by Kafeine when he analyzed Sundown back in June.

Related Reading: Just-Patched Internet Explorer Flaw Used in Watering Hole Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Vulnerabilities

A high-severity format string vulnerability in F5 BIG-IP can be exploited to cause a DoS condition and potentially execute arbitrary code.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.