Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Sundown Exploit Kit Variant Distributes Cryptocurrency Miner

An atypical variant of the Sundown exploit kit (EK) was recently seen using a different infrastructure than previously known and distributing a cryptocurrency mining application, Malwarebytes Labs security researchers reveal.

An atypical variant of the Sundown exploit kit (EK) was recently seen using a different infrastructure than previously known and distributing a cryptocurrency mining application, Malwarebytes Labs security researchers reveal.

Unlike the typical Sundown EK, which was recently seen using steganography to hide its exploits in harmless-looking image files, the newly seen variant features a plain JavaScript landing page. The Flash exploit used by both variants, however, was the same.

While the previous landing page used for this EK employed obfuscation, the newly spotted variant did not, and the infrastructure pushing the EK relies on a series of domains that are hosted on the same IP address.

According to Malwarebytes Labs, which suggests that a single actor is behind this campaign, there is little effort to hide the malicious activity of the exploit. On the compromised machines, the security researchers noticed an attempt to misguide the user through masquerading the process under the name “Windows Backup”.

The malicious code establishes an Internet connection and then attempts to download a set of parameters for a cryptocurrency mining application. The delivered payloads were UPX compressed, but the security researchers managed to dig into them and discover the commands that explained the tool’s purpose.

The application was linked to a Pastebin account for a user called “LoveMonero,” as well as to a Github account, which revealed that it was used to mine Monero cryptocurrency, not Bitcoin.

“This choice makes sense, because the pool of bitcoins is more and more saturated – and nowadays mining them is much more difficult and resource-consuming than it was in the past, when this currency was still young,” the security researchers explain.

The tool’s source code was being stored in the Github account, along with links with parameters. The researchers also discovered that the developer had edited one of the files only hours before, suggesting that the application was being actively maintained.

The repo also contained the links from where the malware was downloaded during the infection campaign, which were the same as those used by the exploit kit. It also revealed that the entire project was based on an open source tool for mining cryptocurrencies, the ccminer-cryptonight, albeit with some modifications.

“This campaign looks strange to us due to the fact that it has been prepared in an extremely careless way. There were a lot of traces stored in the application as well as the Github profile. Since the release of some opensource code of DDoS tools (Mirai) and ransomware (HiddenTear, Eda2) we can see the trend, that more and more novices are trying their luck in cybercrime. This application is yet another example of this tendency,” the security researchers concluded.

Related: Sundown Exploit Kit Outsources Coding Work

Related: Sundown EK First to Integrate Exploit for Recently Patched IE Flaw

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...