Attacks/Breaches

3/31/2017
04:12 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

'Sundown' Rises as New Threat in Depleted Exploit Kit Landscape

New exploits and obfuscation tactics have made once second-tier EK a potent threat, researchers from Cisco Talos say.

Attacks involving the use of exploit kits dropped off dramatically and have remained low ever since Russian authorities arrested over four-dozen individuals believed to be associated with the Angler EK last year. But a few kits remain active and continue to pose a threat to users.

One of them is Sundown, an exploit kit that many considered relatively unsophisticated a few months ago but has gradually evolved into a substantial threat.

Researchers from Cisco’s Talos who have been tracking the kit this week described Sundown as having matured into a major player within the exploit landscape since they last saw it.

“Many of the 'calling cards' that have historically been associated with Sundown have been removed, possibly indicating that the threat actors are making an attempt to make it more difficult to identify as Sundown,” says Talos threat researcher Edmund Brumaghin. “Sundown is now one of the most heavily leveraged exploit kits since the disappearance of several larger exploit kits.”

Many of the exploit kit’s original identifiers have been stripped, making it harder to spot. For instance, previous versions of the EK used to contain multiple references to the Yugoslavian Business Network, making it easily identifiable. Those references are now missing. Missing too in new versions of Sundown are the numeric subfolders and numeric file names and proper extensions that were the markers of the old EK.

Several new exploits have been added to Sundown, while some, like those targeting vulnerabilities in the Silverlight browser plugin, have been dropped. Among the new exploits is one that is based on a publicly available proof of concept targeting a recently disclosed vulnerability in the Microsoft Edge browser. Sundown is one of the few EKs in the world that have added new exploits in recent months, according to Talos.

Sundown also appears to have adopted a new approach to compromising systems. Unlike other kits that use just a single exploit to try and compromise a system, Sundown deploys its entire collection of malware tools against a potential victim. The approach, while noisy, appears designed to give the EK the best chance of breaking into a system, Talos said in the alert.

Sundown has changed in other ways as well. Previously for instance, the exploit kit would retrieve its payload via the web browser. The current version of Sundown retrieves the payload via the command line and the use of a Windows service for executing VBScript files.

The approach is similar to, and indeed appears borrowed from, the one used by another malware kit—RIG-v—to retrieve its payload. Sundown’s payloads now reside on a different server from the one it uses to host its landing page and exploit pages. “The use of different servers for hosting exploit payloads indicates that the actors behind Sundown may be experimenting with more complex infrastructure design for the exploit kit,” Brumaghin says.

One of the most significant changes to the Sundown EK campaign is the use of domain resellers to collect domains for hosting Sundown activity. The authors of the kit appear to be buying legitimately registered domains in bulk from resellers in an apparent bid to avoid blacklists and other filters. In many cases, the authors of Sundown are looking for domains that have been registered for at least one week to avoid filters that block domains that have just been registered.

“Several of the largest, most heavily leveraged Exploit Kits [such as] Angler, Neutrino, Nuclear, have largely disappeared from the threat landscape,” Brumaghin says. “Sundown has remained operational and this increased development and maturation may be indicative of their desire to fill the void left behind by the other larger exploit kits that have stopped operations.”

Related stories:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
technicalaccademy
50%
50%
technicalaccademy,
User Rank: Apprentice
4/11/2017 | 1:34:27 AM
Technology
Thanks for sharing the new threat in depleted exploitkit landscape.it is very helpful
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3483
PUBLISHED: 2019-03-25
Mitigates a potential information leakage issue in ArcSight Logger versions prior to 6.7.
CVE-2019-3484
PUBLISHED: 2019-03-25
Mitigates a remote code execution issue in ArcSight Logger versions prior to 6.7.
CVE-2019-6240
PUBLISHED: 2019-03-25
An issue was discovered in GitLab Community and Enterprise Edition before 11.4. It allows Directory Traversal.
CVE-2015-3953
PUBLISHED: 2019-03-25
Hard-coded accounts may be used to access Hospira Plum A+ Infusion System version 13.4 and prior, Plum A+3 Infusion System version 13.6 and prior, and Symbiq Infusion System, version 3.13 and prior. Hospira recommends that customers close Port 20/FTP and Port 23/TELNET on the affected devices. Hospi...
CVE-2015-3954
PUBLISHED: 2019-03-25
Hospira Plum A+ Infusion System version 13.4 and prior, Plum A+3 Infusion System version 13.6 and prior, and Symbiq Infusion System, version 3.13 and prior give unauthenticated users root privileges on Port 23/TELNET by default. An unauthorized user could issue commands to the pump. Hospira recommen...