An atypical variant of the Sundown exploit kit (EK) was recently seen using a different infrastructure than previously known and distributing a cryptocurrency mining application, Malwarebytes Labs security researchers reveal.
While the previous landing page used for this EK employed obfuscation, the newly spotted variant did not, and the infrastructure pushing the EK relies on a series of domains that are hosted on the same IP address.
According to Malwarebytes Labs, which suggests that a single actor is behind this campaign, there is little effort to hide the malicious activity of the exploit. On the compromised machines, the security researchers noticed an attempt to misguide the user through masquerading the process under the name “Windows Backup”.
The malicious code establishes an Internet connection and then attempts to download a set of parameters for a cryptocurrency mining application. The delivered payloads were UPX compressed, but the security researchers managed to dig into them and discover the commands that explained the tool’s purpose.
The application was linked to a Pastebin account for a user called “LoveMonero,” as well as to a Github account, which revealed that it was used to mine Monero cryptocurrency, not Bitcoin.
“This choice makes sense, because the pool of bitcoins is more and more saturated – and nowadays mining them is much more difficult and resource-consuming than it was in the past, when this currency was still young,” the security researchers explain.
The tool’s source code was being stored in the Github account, along with links with parameters. The researchers also discovered that the developer had edited one of the files only hours before, suggesting that the application was being actively maintained.
The repo also contained the links from where the malware was downloaded during the infection campaign, which were the same as those used by the exploit kit. It also revealed that the entire project was based on an open source tool for mining cryptocurrencies, the ccminer-cryptonight, albeit with some modifications.
“This campaign looks strange to us due to the fact that it has been prepared in an extremely careless way. There were a lot of traces stored in the application as well as the Github profile. Since the release of some opensource code of DDoS tools (Mirai) and ransomware (HiddenTear, Eda2) we can see the trend, that more and more novices are trying their luck in cybercrime. This application is yet another example of this tendency,” the security researchers concluded.