Sundown

Sundown exploit kit (EK), also known as Beta, is not as sophisticated as other EKs and conducted limited activity in the first half of 2016, following the sudden drop-off in Angler and Nuclear EK activity. Sundown typically infects users through malvertising and was the first EK to exploit a vulnerability in Internet Explorer, CVE-2015-2444, in August 2015. By exploiting this vulnerability, attackers were able to inject an iframe into a legitimate website, redirecting users to an obfuscated landing page with the Sundown EK.

Since Sundown's resurgence in the last few weeks, its creators appear to be advancing the EK’s capabilities. In June, researchers at Zscaler noticed that a section of Sundown’s landing page appeared to be identical to the RIG EK, causing it to be falsely labeled as RIG. The landing page also featured exploits for Adobe Flash Player. By late June, the landing page had changed, no longer containing RIG EK code and was able to evade detection signatures. In early July, the landing page had added a significant amount of code and began delivering the Netwire RAT (also referred to as NetWired RC RAT). On July 5, researchers found a splash page with an image of the “Yugoslavian Business Network” logo. It’s unclear if the Russian Business Network, a well-known cyber crime organization, is responsible for the EK. By July 7, a version of the Kasidet malware was included in the EKs functionality.

Reporting

  • August 2015: Sundown adds Internet Explorer exploit. (Symantec)
  • July 2016: Observations of Sundown exploit kit's evolution. (Zscaler)
  • October 2016: Recent Sundown activity is discovered. (Cisco Talos)
  • November 2016: Sundown has become a significant threat responsible for a large number of infections over the past six months. (Threatpost)
  • December 2016: Sundown EK discovered using steganography to hide the exploit code in PNG files. (Trend Micro)
  • January 2017: Sundown EK started exploiting two Microsoft Edge vulnerabilities a few days after researchers published the proof-of-concept exploit. (Security Week)
  • March 2017: The EK’s authors have made significant changes to the Sundown landing page patters and rebranding it as “Nebula.” (SCMagazine)
  • July 2017: A malvertising campaign, "ProMediads," is directing users to a new pirated version of the Sundown EK, dubbed "Sundown-Pirate." As of June 25, the EK delivered the SmokeLoader trojan that installed the botnet infector Zyklon, then, as of July 12, it delivered the LockPOS malware and cryptocurrency mining software "CPUMiner-Multi," and, on July 13, the EK began delivering the Stampado ransomware. (TrendMicro)

Technical Details

  • Zscaler provides technical information on the recent updated to Sundown EK, available here.