Bizarro Sundown

Bizarro Sundown is a new exploit kit (EK) created based on the Sundown EK. Bizarro Sundown shares many of the same features as the Sundown EK, with the addition of anti-analysis capabilities. The EK was first observed by Trendmicro on October 5th with a second sighting on October 19th. The first attack exploited a memory corruption flaw in Microsoft’s Internet Explorer and use-after-free and out-of bound read vulnerabilities in Adobe Flash Player. The attackers used anti-crawling functionality to impede automated crawlers used by researchers. The second attack, dubbed GreenFlash Sundown, changed its redirection chain, making the URL format appear to be legitimate web advertisements. Trendmicro researchers believe both attacks were perpetrated by the ShadowGate/WordsJS campaign, targeting mainly Korean and Taiwanese users. The Bizarro Sundown EK has been observed delivering various versions of the Locky Ransomware to its victims, encrypting their files with the extension .odin.

Technical Details

  • Trendmicro provides a technical analysis of the Bizarro Sundown exploit kit here