Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Sundown Exploit Kit Variant Distributes Cryptocurrency Miner

An atypical variant of the Sundown exploit kit (EK) was recently seen using a different infrastructure than previously known and distributing a cryptocurrency mining application, Malwarebytes Labs security researchers reveal.

An atypical variant of the Sundown exploit kit (EK) was recently seen using a different infrastructure than previously known and distributing a cryptocurrency mining application, Malwarebytes Labs security researchers reveal.

Unlike the typical Sundown EK, which was recently seen using steganography to hide its exploits in harmless-looking image files, the newly seen variant features a plain JavaScript landing page. The Flash exploit used by both variants, however, was the same.

While the previous landing page used for this EK employed obfuscation, the newly spotted variant did not, and the infrastructure pushing the EK relies on a series of domains that are hosted on the same IP address.

According to Malwarebytes Labs, which suggests that a single actor is behind this campaign, there is little effort to hide the malicious activity of the exploit. On the compromised machines, the security researchers noticed an attempt to misguide the user through masquerading the process under the name “Windows Backup”.

The malicious code establishes an Internet connection and then attempts to download a set of parameters for a cryptocurrency mining application. The delivered payloads were UPX compressed, but the security researchers managed to dig into them and discover the commands that explained the tool’s purpose.

The application was linked to a Pastebin account for a user called “LoveMonero,” as well as to a Github account, which revealed that it was used to mine Monero cryptocurrency, not Bitcoin.

“This choice makes sense, because the pool of bitcoins is more and more saturated – and nowadays mining them is much more difficult and resource-consuming than it was in the past, when this currency was still young,” the security researchers explain.

The tool’s source code was being stored in the Github account, along with links with parameters. The researchers also discovered that the developer had edited one of the files only hours before, suggesting that the application was being actively maintained.

The repo also contained the links from where the malware was downloaded during the infection campaign, which were the same as those used by the exploit kit. It also revealed that the entire project was based on an open source tool for mining cryptocurrencies, the ccminer-cryptonight, albeit with some modifications.

“This campaign looks strange to us due to the fact that it has been prepared in an extremely careless way. There were a lot of traces stored in the application as well as the Github profile. Since the release of some opensource code of DDoS tools (Mirai) and ransomware (HiddenTear, Eda2) we can see the trend, that more and more novices are trying their luck in cybercrime. This application is yet another example of this tendency,” the security researchers concluded.

Related: Sundown Exploit Kit Outsources Coding Work

Related: Sundown EK First to Integrate Exploit for Recently Patched IE Flaw

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Fortinet warned of three malicious PyPI packages containing code that fetches the Wacatac trojan and information stealer.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.