Security Experts:

Sundown Exploit Kit Outsources Coding Work

Sundown, a relatively new exploit kit (EK), is outsourcing panel and Domain Generation Algorithm (DGA) coding work and stealing exploits in an attempt to improve its presence on the EK scene.

According to Trustwave researchers, the threat has seen various changes over the past several months and has started to incorporate exploits for recently discovered vulnerabilities, showing that its developers are eager to improve it. Despite the recent efforts, researchers say the threat still falls behind Neutrino and RIG, the leading exploit kits at the moment.

Some of the latest changes that the actor behind Sundown made recently include the outsourcing of the panel & DGA coding work to the “Yugoslavian Business Network,” as well as the theft of exploits to incorporate them into Sundown. Additionally, the threat was observed using domain shadowing, suggesting that the EK is being used in a more sophisticated way, researchers say.

Previously, Sundown was seen using subdomains for .top/.pw domains, but is now using better subdomain names, suggesting that something changed. According to Trustwave researchers, to perform their nefarious operations, the actor buys a soon-to-be-expired domain to benefit from its good reputation, then points it to a legitimate IP address to help the subdomains (which point to malicious IPs) stay alive longer before being blacklisted.

When analyzing the exploit’s landing page, researchers discovered that it contains “some new info.js file that is being loaded, a “.dec” function called with some encrypted data followed by document.write of the decrypted code.” What’s more, the HTML tag is then closed and another HTML tag is opened, with some more script in it. The same code was observed on each page, Trustwave says.

The script was seen being added even to invalid requests made to the landing page, which also displays the YBN logo. The encrypted data on the page is an obfuscated script, “basically a base64 decode of more obfuscated data.” The base64 decode is a “JavaScript function that abuses the xmldom res:// vulnerability to avoid detection by looking for security software on the victim machine.” The method, however, is old and already patched.

The second HTML tag on the page, however, revealed four scripts: CVE-2015-2419, which was stolen from Angler; CVE-2016-0034, a Silverlight exploit stolen from RIG; the publicly available Hacking Team CVE-2015-5119; and a second stage Flash exploit that researchers say is the Magnitude CVE-2016-4117.

In an EK roundup for the summer, Zscaler notes that Sundown started using landing page obfuscation only recently and that the threat “has begun dropping a variant of the Kasidet backdoor with modified callback protocols” recently.

In early June, Zscaler says, Sundown was using a RIG-rip off tactic on its landing page, but abandoned it in the second half of the month and “stuffed nearly everything into base64-encoded blocks with an overabundance of <body> tags.” At the end of June, the security firm noticed that the page was performing a simple Internet Explorer check, which resulted in one of two different payloads to be delivered.

In early July, the security researchers noticed an inflation in the landing page’s code size and that the EK was dropping the NetWire/NetWiredRC backdoor. Within a week, the threat was dropping PuTTY version 0.66, and the landing page code started pointing at YBN, suggesting that it was around two months ago that the Sundown operators started outsourcing coding work to this group.

Also in early July, the Sundown EK quickly integrated into its landing page the CVE-2016-0189 exploit soon after it was published. This exploit is a VBScript memory corruption vulnerability in Internet Explorer 11, and “the standard Sundown landing page was replaced entirely with a modified version of the open source POC for the exploit,” Zscaler researchers note.

Related: RIG Developers Testing New Exploits, C&C Patterns

view counter