Sundown exploit kit – Conquering the criminal underground

Pierluigi Paganini November 03, 2016

Cisco Talos group analyzed the evolution of the Sundown exploit kit that over the past six months has become responsible for a large number of infections.

Over the past months, the threat landscape for exploit kits is rapidly changing. Angler EK, Neutrino EK, and Nuclear EK that for years monopolized the criminal underground disappeared.

Now, researchers at Cisco Talos group analyzed the rapid evolution of a new threat, the Sundown exploit kit that over the past six months has become responsible for a large number of infections.

“Over the last six months the exploit kit landscape has seen some major changes.” reads a blog post published by the Talos Group. “What remains is a group of smaller exploit kits vying for pole position in an industry that continues to generate millions of dollars from payloads such as ransomware and banking trojans.”

“It’s now time to turn to another exploit kit that is active on the landscape, Sundown. The Sundown exploit kit has previously been part of the second tier of exploit kits that includes Magnitude and Sweet Orange. These kits successfully compromise users, but typically are not accompanied with the advanced techniques and wide-spread use of the other major exploit kits. It’s not to say these kits aren’t significant threats, but from a potential victim perspective they historically do not have the reach associated with other EKs from before such as Angler or RIG.”

The Sundown EK ranks today at the second place, behind RIG EK that is the most used crimeware kit in the criminal ecosystem.

Threat actors behind the Sundown exploit kit leverage on an infrastructure composed of 80,000 malicious subdomains associated with more than 500 domains.

The experts observed that crooks behind the Sundown exploit kit criminals are using wildcards for subdomains which are exponentially growing the number of routes for malicious traffic to servers hosting the dreaded EK.

The downside to the use of wildcards is the impact on the core domain. If the domain is active, if someone tries to resolve that particular domain, it will redirect to the malicious server used by the crooks.

In one case, the researchers observed in a 24-hour period a particular Sundown domain generating three subdomains a minute.

“For a 24 hour period this particular Sundown campaign was seen generating approximately 3 subdomains a minute for the entire day.” states the analysis.

Unique Sundown Exploit Kit per day

Count of Unique Sundown Subdomains by Day (Talos analysis)

While the RIG EK was used to dropping a variety of malware, including malicious payloads, banking Trojans, and data stealers, the Sundown exploit kit was only used to serve banking Trojans. Talos has observed Sundown campaigns leveraging both Adobe Flash and Silverlight vulnerabilities to hack into victims’ systems.

“One interesting aspect is that they used standard extensions for those files. All requests for flash files end in “.swf” and all silverlight requests end in “.xap” which isn’t particularly common for exploit kits as they typically will try and obfuscate the activity.” continues the analysis.

Talos highlighted the blunder made by the threat actors, browsing directly to an active Sundown landing page without any parameters the researchers retrieved a Base64 encoded Sundown Logo instead of getting some empty data or a 404 data.

The text on the image states “Yugoslavian Business Network.”


For more information give a look at the report that includes also the IOC for the Sundown exploit kit:

IP Addresses

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Stealth Cell Tower, espionage)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment