Connect with us

Hi, what are you looking for?



Sundown Exploit Kit Starts Using Steganography

A new version of the Sundown exploit kit uses a technique called steganography to hide its exploits in harmless-looking image files, Trend Micro reported on Thursday.

A new version of the Sundown exploit kit uses a technique called steganography to hide its exploits in harmless-looking image files, Trend Micro reported on Thursday.

Steganography, the practice of hiding information within a file, has been increasingly used by malicious actors, including in the malvertising campaigns conducted recently by the AdGholas and GooNky groups.

According to Trend Micro, GooNky has attempted to hide its malvertising traffic by appending malicious code to the end of image files. AdGholas has used a more sophisticated technique through the Astrum (Stegano) exploit kit.

The attackers encoded a script in the alpha channel of an image. By abusing the alpha channel, which defines pixel transparency, cybercriminals could deliver their malicious code via rogue ads that looked like legitimate ads with a slightly different color.

A similar technique has been observed in a Sundown update spotted by Trend Micro on December 27. This update attracted the attention of researchers as Sundown had previously not made an effort to hide its exploits.

“In this updated version, the exploit kit’s malvertisement creates a hidden iframe that automatically connects to the Sundown landing page,” explained Trend Micro threat analysts. “The page will retrieve and download a white PNG image. It then decodes the data in this PNG file to obtain additional malicious code.”

In the attacks analyzed by the security firm, cybercriminals used PNG images to disguise various exploits, including ones targeting Internet Explorer (CVE-2015-2419, CVE-2016-0189) and Flash Player (CVE-2016-4117).

Advertisement. Scroll to continue reading.

The updated version of Sundown has been used in several malvertising campaigns, with more than half of victims located in Japan, Canada, France and the United States. One of the pieces of malware delivered in these operations was the Chthonic banking Trojan.

Sundown attracted the attention of researchers in August 2015, when it was the first to integrate an exploit for a recently patched Internet Explorer vulnerability. Following the disappearance of bigger players such as Angler, Nuclear, Neutrino and Magnitude, it has become one of the top exploit kits.

One of the recent major campaigns leveraging Sundown – along with the RIG exploit kit – delivered CryLocker ransomware. In these attacks, cybercrooks used PNG files to exfiltrate information from infected systems.

Related: Sundown Exploit Kit Outsources Coding Work

Related: Massive Malvertising Campaigns Hit Sites Worldwide

Related: Flash Player Remains Main Target of Exploit Kits

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...