Attacks involving the use of exploit kits dropped off dramatically and have remained low ever since Russian authorities arrested over four-dozen individuals believed to be associated with the Angler EK last year. But a few kits remain active and continue to pose a threat to users.
One of them is Sundown, an exploit kit that many considered relatively unsophisticated a few months ago but has gradually evolved into a substantial threat.
Researchers from Cisco’s Talos who have been tracking the kit this week described Sundown as having matured into a major player within the exploit landscape since they last saw it.
“Many of the 'calling cards' that have historically been associated with Sundown have been removed, possibly indicating that the threat actors are making an attempt to make it more difficult to identify as Sundown,” says Talos threat researcher Edmund Brumaghin. “Sundown is now one of the most heavily leveraged exploit kits since the disappearance of several larger exploit kits.”
Many of the exploit kit’s original identifiers have been stripped, making it harder to spot. For instance, previous versions of the EK used to contain multiple references to the Yugoslavian Business Network, making it easily identifiable. Those references are now missing. Missing too in new versions of Sundown are the numeric subfolders and numeric file names and proper extensions that were the markers of the old EK.
Several new exploits have been added to Sundown, while some, like those targeting vulnerabilities in the Silverlight browser plugin, have been dropped. Among the new exploits is one that is based on a publicly available proof of concept targeting a recently disclosed vulnerability in the Microsoft Edge browser. Sundown is one of the few EKs in the world that have added new exploits in recent months, according to Talos.
Sundown also appears to have adopted a new approach to compromising systems. Unlike other kits that use just a single exploit to try and compromise a system, Sundown deploys its entire collection of malware tools against a potential victim. The approach, while noisy, appears designed to give the EK the best chance of breaking into a system, Talos said in the alert.
Sundown has changed in other ways as well. Previously for instance, the exploit kit would retrieve its payload via the web browser. The current version of Sundown retrieves the payload via the command line and the use of a Windows service for executing VBScript files.
The approach is similar to, and indeed appears borrowed from, the one used by another malware kit—RIG-v—to retrieve its payload. Sundown’s payloads now reside on a different server from the one it uses to host its landing page and exploit pages. “The use of different servers for hosting exploit payloads indicates that the actors behind Sundown may be experimenting with more complex infrastructure design for the exploit kit,” Brumaghin says.
One of the most significant changes to the Sundown EK campaign is the use of domain resellers to collect domains for hosting Sundown activity. The authors of the kit appear to be buying legitimately registered domains in bulk from resellers in an apparent bid to avoid blacklists and other filters. In many cases, the authors of Sundown are looking for domains that have been registered for at least one week to avoid filters that block domains that have just been registered.
“Several of the largest, most heavily leveraged Exploit Kits [such as] Angler, Neutrino, Nuclear, have largely disappeared from the threat landscape,” Brumaghin says. “Sundown has remained operational and this increased development and maturation may be indicative of their desire to fill the void left behind by the other larger exploit kits that have stopped operations.”
- Exploit Kit-Based Attacks Decline Dramatically
- Exploit Kits: Winter 2017 Review
- Researchers Disrupt Angler Exploit Kit, Ransomware Operation