Security Experts:

Connect with us

Hi, what are you looking for?



Sundown EK First to Integrate Exploit for Recently Patched IE Flaw

Researchers at Symantec noticed that an exploit for a recently patched vulnerability affecting Internet Explorer (CVE-2015-2444) was added to the Sundown exploit kit. Sundown is the first EK to integrate an exploit for this particular flaw.

Researchers at Symantec noticed that an exploit for a recently patched vulnerability affecting Internet Explorer (CVE-2015-2444) was added to the Sundown exploit kit. Sundown is the first EK to integrate an exploit for this particular flaw.

This is a noteworthy case considering that new exploits usually show up in the more popular exploit kits first. Currently, the developers of the Angler EK seem to be the best when it comes to using recently patched and even zero-day vulnerabilities. Angler is followed by Nuclear, Neutrino, and Magnitude, whose developers have also done a good job at integrating new exploits.

A brief analysis of the Sundown EK was published in June by the French researcher known as “Kafeine.” The exploit pack was dubbed “Sundown” by William Metcalf from Emerging Threats because it had been used to target Japanese users.

Kafeine noted at the time that Sundown, which has been around since April, was in the same category as the Archie EK, based on traffic sources and level of sophistication. A different version of the same exploit kit, dubbed “Beta,” was analyzed earlier this year by researchers Aditya Sood and Rohit Bansal.

Symantec has observed watering hole attacks that leverage the Sundown EK to deliver a backdoor Trojan detected by the security firm as Trojan.Nancrat. The malware allows attackers to steal information from infected computers.

In order to deliver the Trojan to victims’ computers, Sundown attempts to exploit various vulnerabilities, including CVE-2015-2444, a critical memory corruption flaw in Internet Explorer patched by Microsoft on August 11 as part of the company’s monthly security updates.

When it patched the remote code execution security hole, Microsoft noted that the flaw had not been publicly disclosed and there wasn’t any evidence of exploitation.

The attacks monitored by Symantec mainly affect users in Japan, but some infections have also been spotted in the United States, Brazil, Canada, and the United Kingdom.

The attackers injected an iframe into a hijacked website in order to redirect users to a highly obfuscated webpage hosting the Sundown exploit kit. The kit is designed to check for the presence of certain security software, sandboxes and traffic analysis tools before dropping its exploits, Symantec said.

In the campaign observed by the security firm, Sundown also leveraged six other exploits, including four Flash Player, one Windows and one Internet Explorer exploits. These exploits were also seen by Kafeine when he analyzed Sundown back in June.

Related Reading: Just-Patched Internet Explorer Flaw Used in Watering Hole Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet