One year after the exploit kit (EK) landscape was shaken by the sudden disappearance of the Angler and Nuclear kits, another change is happening in the segment. While the Sundown EK has been inactive for the past month or so, the recent Terror EK is being used in new campaigns, researchers say.
While not new, Sundown has been a small player in the EK market, and showed increased presence only after Neutrino became silent last September, although it didn’t make it to the top three by the end of the year.
Its operators have been highly active with the integration of new exploits and the adoption of new technologies, including steganography, which allowed them to hide exploits in harmless-looking image files.
Just weeks ago, Cisco Talos published an analysis of Sundown, revealing the latest changes the EK’s operators had adopted, such as a switch to new vulnerabilities to exploit and modifications to the landing page’s code, which started showing similarities to the RIG EK.
Soon after, however, security researchers were noticing the long silence Sundown had been showing for over a month, and started questioning its existence:
Sundown (Beps) and Nebula out ? More than one month since last hits. pic.twitter.com/KVRFrzvHTG
— Kafeine (@kafeine) April 8, 2017
Variants of Sundown also seem to have disappeared from the scene, including Bizarro and Greenflash, which could suggest a complete cease of operations, Malwarebytes Labs researchers suggest. However, it remains to be seen if Sundown is just taking a break or has completely vanished.
Simultaneously, another EK is picking up pace, namely Terror. Initially detailed in January and considered to be a Sundown variant due to many code similarities, Terror appears involved in several distribution campaigns, and the security researchers suggest that it could pose a real threat.
Terror EK’s author, which Trustwave identified on various underground forums by the handle @666_KingCobra, is selling the kit under different names, researchers say. Apparently, the threat has been also known under the names of Blaze, Neptune, and Eris.
The best known instance of Terror is engaged in a malvertising campaign distributing Smoke Loader, which Malwarebytes has been monitoring for a while. Leveraging various ad networks that generate low quality traffic, the campaign uses Internet Explorer, Flash, and Silverlight exploits to compromise users’ systems.
A newer campaign, however, uses a different landing page and no longer distributes Smoke Loader, but pushes the Andromeda malware as the final payload. Active only for a few days, the campaign redirects to the EK landing page either via the server 302 redirect call, or via script injection. Only Flash and Internet Explorer exploits are abused in these attacks.
“Sundown EK was notorious for stealing exploits from others and the tradition continues with more copy/paste from the ashes of dead exploit kits. If this harvesting was done on higher grade EKs, we would have a more potent threat but this isn’t the case here,” Malwarebytes concludes.
Related: New Terror Exploit Kit Emerges