Security Experts:

Connect with us

Hi, what are you looking for?



Sundown Exploit Kit Outsources Coding Work

Sundown, a relatively new exploit kit (EK), is outsourcing panel and Domain Generation Algorithm (DGA) coding work and stealing exploits in an attempt to improve its presence on the EK scene.

Sundown, a relatively new exploit kit (EK), is outsourcing panel and Domain Generation Algorithm (DGA) coding work and stealing exploits in an attempt to improve its presence on the EK scene.

According to Trustwave researchers, the threat has seen various changes over the past several months and has started to incorporate exploits for recently discovered vulnerabilities, showing that its developers are eager to improve it. Despite the recent efforts, researchers say the threat still falls behind Neutrino and RIG, the leading exploit kits at the moment.

Some of the latest changes that the actor behind Sundown made recently include the outsourcing of the panel & DGA coding work to the “Yugoslavian Business Network,” as well as the theft of exploits to incorporate them into Sundown. Additionally, the threat was observed using domain shadowing, suggesting that the EK is being used in a more sophisticated way, researchers say.

Previously, Sundown was seen using subdomains for .top/.pw domains, but is now using better subdomain names, suggesting that something changed. According to Trustwave researchers, to perform their nefarious operations, the actor buys a soon-to-be-expired domain to benefit from its good reputation, then points it to a legitimate IP address to help the subdomains (which point to malicious IPs) stay alive longer before being blacklisted.

When analyzing the exploit’s landing page, researchers discovered that it contains “some new info.js file that is being loaded, a “.dec” function called with some encrypted data followed by document.write of the decrypted code.” What’s more, the HTML tag is then closed and another HTML tag is opened, with some more script in it. The same code was observed on each page, Trustwave says.

The script was seen being added even to invalid requests made to the landing page, which also displays the YBN logo. The encrypted data on the page is an obfuscated script, “basically a base64 decode of more obfuscated data.” The base64 decode is a “JavaScript function that abuses the xmldom res:// vulnerability to avoid detection by looking for security software on the victim machine.” The method, however, is old and already patched.

The second HTML tag on the page, however, revealed four scripts: CVE-2015-2419, which was stolen from Angler; CVE-2016-0034, a Silverlight exploit stolen from RIG; the publicly available Hacking Team CVE-2015-5119; and a second stage Flash exploit that researchers say is the Magnitude CVE-2016-4117.

In an EK roundup for the summer, Zscaler notes that Sundown started using landing page obfuscation only recently and that the threat “has begun dropping a variant of the Kasidet backdoor with modified callback protocols” recently.

In early June, Zscaler says, Sundown was using a RIG-rip off tactic on its landing page, but abandoned it in the second half of the month and “stuffed nearly everything into base64-encoded blocks with an overabundance of <body> tags.” At the end of June, the security firm noticed that the page was performing a simple Internet Explorer check, which resulted in one of two different payloads to be delivered.

In early July, the security researchers noticed an inflation in the landing page’s code size and that the EK was dropping the NetWire/NetWiredRC backdoor. Within a week, the threat was dropping PuTTY version 0.66, and the landing page code started pointing at YBN, suggesting that it was around two months ago that the Sundown operators started outsourcing coding work to this group.

Also in early July, the Sundown EK quickly integrated into its landing page the CVE-2016-0189 exploit soon after it was published. This exploit is a VBScript memory corruption vulnerability in Internet Explorer 11, and “the standard Sundown landing page was replaced entirely with a modified version of the open source POC for the exploit,” Zscaler researchers note.

Related: RIG Developers Testing New Exploits, C&C Patterns

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.