Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

checkLoop 1checkLoop 2checkLoop 3
3/31/2017
04:12 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

'Sundown' Rises as New Threat in Depleted Exploit Kit Landscape

New exploits and obfuscation tactics have made once second-tier EK a potent threat, researchers from Cisco Talos say.

Attacks involving the use of exploit kits dropped off dramatically and have remained low ever since Russian authorities arrested over four-dozen individuals believed to be associated with the Angler EK last year. But a few kits remain active and continue to pose a threat to users.

One of them is Sundown, an exploit kit that many considered relatively unsophisticated a few months ago but has gradually evolved into a substantial threat.

Researchers from Cisco’s Talos who have been tracking the kit this week described Sundown as having matured into a major player within the exploit landscape since they last saw it.

“Many of the 'calling cards' that have historically been associated with Sundown have been removed, possibly indicating that the threat actors are making an attempt to make it more difficult to identify as Sundown,” says Talos threat researcher Edmund Brumaghin. “Sundown is now one of the most heavily leveraged exploit kits since the disappearance of several larger exploit kits.”

Many of the exploit kit’s original identifiers have been stripped, making it harder to spot. For instance, previous versions of the EK used to contain multiple references to the Yugoslavian Business Network, making it easily identifiable. Those references are now missing. Missing too in new versions of Sundown are the numeric subfolders and numeric file names and proper extensions that were the markers of the old EK.

Several new exploits have been added to Sundown, while some, like those targeting vulnerabilities in the Silverlight browser plugin, have been dropped. Among the new exploits is one that is based on a publicly available proof of concept targeting a recently disclosed vulnerability in the Microsoft Edge browser. Sundown is one of the few EKs in the world that have added new exploits in recent months, according to Talos.

Sundown also appears to have adopted a new approach to compromising systems. Unlike other kits that use just a single exploit to try and compromise a system, Sundown deploys its entire collection of malware tools against a potential victim. The approach, while noisy, appears designed to give the EK the best chance of breaking into a system, Talos said in the alert.

Sundown has changed in other ways as well. Previously for instance, the exploit kit would retrieve its payload via the web browser. The current version of Sundown retrieves the payload via the command line and the use of a Windows service for executing VBScript files.

The approach is similar to, and indeed appears borrowed from, the one used by another malware kit—RIG-v—to retrieve its payload. Sundown’s payloads now reside on a different server from the one it uses to host its landing page and exploit pages. “The use of different servers for hosting exploit payloads indicates that the actors behind Sundown may be experimenting with more complex infrastructure design for the exploit kit,” Brumaghin says.

One of the most significant changes to the Sundown EK campaign is the use of domain resellers to collect domains for hosting Sundown activity. The authors of the kit appear to be buying legitimately registered domains in bulk from resellers in an apparent bid to avoid blacklists and other filters. In many cases, the authors of Sundown are looking for domains that have been registered for at least one week to avoid filters that block domains that have just been registered.

“Several of the largest, most heavily leveraged Exploit Kits [such as] Angler, Neutrino, Nuclear, have largely disappeared from the threat landscape,” Brumaghin says. “Sundown has remained operational and this increased development and maturation may be indicative of their desire to fill the void left behind by the other larger exploit kits that have stopped operations.”

Related stories:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
technicalaccademy
50%
50%
technicalaccademy,
User Rank: Apprentice
4/11/2017 | 1:34:27 AM
Technology
Thanks for sharing the new threat in depleted exploitkit landscape.it is very helpful
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12420
PUBLISHED: 2019-12-12
In Apache SpamAssassin before 3.4.3, a message can be crafted in a way to use excessive resources. Upgrading to SA 3.4.3 as soon as possible is the recommended fix but details will not be shared publicly.
CVE-2019-16774
PUBLISHED: 2019-12-12
In phpfastcache before 5.1.3, there is a possible object injection vulnerability in cookie driver.
CVE-2018-11805
PUBLISHED: 2019-12-12
In Apache SpamAssassin before 3.4.3, nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf ...
CVE-2019-5061
PUBLISHED: 2019-12-12
An exploitable denial-of-service vulnerability exists in the hostapd 2.6, where an attacker could trigger AP to send IAPP location updates for stations, before the required authentication process has completed. This could lead to different denial of service scenarios, either by causing CAM table att...
CVE-2019-5062
PUBLISHED: 2019-12-12
An exploitable denial-of-service vulnerability exists in the 802.11w security state handling for hostapd 2.6 connected clients with valid 802.11w sessions. By simulating an incomplete new association, an attacker can trigger a deauthentication against stations using 802.11w, resulting in a denial of...
checkLoop 4