Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Sundown Exploit Kit Starts Using Steganography

A new version of the Sundown exploit kit uses a technique called steganography to hide its exploits in harmless-looking image files, Trend Micro reported on Thursday.

A new version of the Sundown exploit kit uses a technique called steganography to hide its exploits in harmless-looking image files, Trend Micro reported on Thursday.

Steganography, the practice of hiding information within a file, has been increasingly used by malicious actors, including in the malvertising campaigns conducted recently by the AdGholas and GooNky groups.

According to Trend Micro, GooNky has attempted to hide its malvertising traffic by appending malicious code to the end of image files. AdGholas has used a more sophisticated technique through the Astrum (Stegano) exploit kit.

The attackers encoded a script in the alpha channel of an image. By abusing the alpha channel, which defines pixel transparency, cybercriminals could deliver their malicious code via rogue ads that looked like legitimate ads with a slightly different color.

A similar technique has been observed in a Sundown update spotted by Trend Micro on December 27. This update attracted the attention of researchers as Sundown had previously not made an effort to hide its exploits.

“In this updated version, the exploit kit’s malvertisement creates a hidden iframe that automatically connects to the Sundown landing page,” explained Trend Micro threat analysts. “The page will retrieve and download a white PNG image. It then decodes the data in this PNG file to obtain additional malicious code.”

In the attacks analyzed by the security firm, cybercriminals used PNG images to disguise various exploits, including ones targeting Internet Explorer (CVE-2015-2419, CVE-2016-0189) and Flash Player (CVE-2016-4117).

The updated version of Sundown has been used in several malvertising campaigns, with more than half of victims located in Japan, Canada, France and the United States. One of the pieces of malware delivered in these operations was the Chthonic banking Trojan.

Advertisement. Scroll to continue reading.

Sundown attracted the attention of researchers in August 2015, when it was the first to integrate an exploit for a recently patched Internet Explorer vulnerability. Following the disappearance of bigger players such as Angler, Nuclear, Neutrino and Magnitude, it has become one of the top exploit kits.

One of the recent major campaigns leveraging Sundown – along with the RIG exploit kit – delivered CryLocker ransomware. In these attacks, cybercrooks used PNG files to exfiltrate information from infected systems.

Related: Sundown Exploit Kit Outsources Coding Work

Related: Massive Malvertising Campaigns Hit Sites Worldwide

Related: Flash Player Remains Main Target of Exploit Kits

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

BlackFog has named Brenda Robb as President, John Sarantakes as CRO, and Mark Griffith as VP of Strategic Sales.

Former NSA cybersecurity chief Rob Joyce has joined Sandfly Security's Advisory Board.

Commvault has appointed Pranay Ahlawat as Chief Technology and AI Officer (CTAIO).

More People On The Move

Expert Insights