Connect with us

Hi, what are you looking for?



Sundown Exploit Kit Outsources Coding Work

Sundown, a relatively new exploit kit (EK), is outsourcing panel and Domain Generation Algorithm (DGA) coding work and stealing exploits in an attempt to improve its presence on the EK scene.

Sundown, a relatively new exploit kit (EK), is outsourcing panel and Domain Generation Algorithm (DGA) coding work and stealing exploits in an attempt to improve its presence on the EK scene.

According to Trustwave researchers, the threat has seen various changes over the past several months and has started to incorporate exploits for recently discovered vulnerabilities, showing that its developers are eager to improve it. Despite the recent efforts, researchers say the threat still falls behind Neutrino and RIG, the leading exploit kits at the moment.

Some of the latest changes that the actor behind Sundown made recently include the outsourcing of the panel & DGA coding work to the “Yugoslavian Business Network,” as well as the theft of exploits to incorporate them into Sundown. Additionally, the threat was observed using domain shadowing, suggesting that the EK is being used in a more sophisticated way, researchers say.

Previously, Sundown was seen using subdomains for .top/.pw domains, but is now using better subdomain names, suggesting that something changed. According to Trustwave researchers, to perform their nefarious operations, the actor buys a soon-to-be-expired domain to benefit from its good reputation, then points it to a legitimate IP address to help the subdomains (which point to malicious IPs) stay alive longer before being blacklisted.

When analyzing the exploit’s landing page, researchers discovered that it contains “some new info.js file that is being loaded, a “.dec” function called with some encrypted data followed by document.write of the decrypted code.” What’s more, the HTML tag is then closed and another HTML tag is opened, with some more script in it. The same code was observed on each page, Trustwave says.

The script was seen being added even to invalid requests made to the landing page, which also displays the YBN logo. The encrypted data on the page is an obfuscated script, “basically a base64 decode of more obfuscated data.” The base64 decode is a “JavaScript function that abuses the xmldom res:// vulnerability to avoid detection by looking for security software on the victim machine.” The method, however, is old and already patched.

The second HTML tag on the page, however, revealed four scripts: CVE-2015-2419, which was stolen from Angler; CVE-2016-0034, a Silverlight exploit stolen from RIG; the publicly available Hacking Team CVE-2015-5119; and a second stage Flash exploit that researchers say is the Magnitude CVE-2016-4117.

In an EK roundup for the summer, Zscaler notes that Sundown started using landing page obfuscation only recently and that the threat “has begun dropping a variant of the Kasidet backdoor with modified callback protocols” recently.

Advertisement. Scroll to continue reading.

In early June, Zscaler says, Sundown was using a RIG-rip off tactic on its landing page, but abandoned it in the second half of the month and “stuffed nearly everything into base64-encoded blocks with an overabundance of <body> tags.” At the end of June, the security firm noticed that the page was performing a simple Internet Explorer check, which resulted in one of two different payloads to be delivered.

In early July, the security researchers noticed an inflation in the landing page’s code size and that the EK was dropping the NetWire/NetWiredRC backdoor. Within a week, the threat was dropping PuTTY version 0.66, and the landing page code started pointing at YBN, suggesting that it was around two months ago that the Sundown operators started outsourcing coding work to this group.

Also in early July, the Sundown EK quickly integrated into its landing page the CVE-2016-0189 exploit soon after it was published. This exploit is a VBScript memory corruption vulnerability in Internet Explorer 11, and “the standard Sundown landing page was replaced entirely with a modified version of the open source POC for the exploit,” Zscaler researchers note.

Related: RIG Developers Testing New Exploits, C&C Patterns

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.