Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/31/2017
04:12 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

'Sundown' Rises as New Threat in Depleted Exploit Kit Landscape

New exploits and obfuscation tactics have made once second-tier EK a potent threat, researchers from Cisco Talos say.

Attacks involving the use of exploit kits dropped off dramatically and have remained low ever since Russian authorities arrested over four-dozen individuals believed to be associated with the Angler EK last year. But a few kits remain active and continue to pose a threat to users.

One of them is Sundown, an exploit kit that many considered relatively unsophisticated a few months ago but has gradually evolved into a substantial threat.

Researchers from Cisco’s Talos who have been tracking the kit this week described Sundown as having matured into a major player within the exploit landscape since they last saw it.

“Many of the 'calling cards' that have historically been associated with Sundown have been removed, possibly indicating that the threat actors are making an attempt to make it more difficult to identify as Sundown,” says Talos threat researcher Edmund Brumaghin. “Sundown is now one of the most heavily leveraged exploit kits since the disappearance of several larger exploit kits.”

Many of the exploit kit’s original identifiers have been stripped, making it harder to spot. For instance, previous versions of the EK used to contain multiple references to the Yugoslavian Business Network, making it easily identifiable. Those references are now missing. Missing too in new versions of Sundown are the numeric subfolders and numeric file names and proper extensions that were the markers of the old EK.

Several new exploits have been added to Sundown, while some, like those targeting vulnerabilities in the Silverlight browser plugin, have been dropped. Among the new exploits is one that is based on a publicly available proof of concept targeting a recently disclosed vulnerability in the Microsoft Edge browser. Sundown is one of the few EKs in the world that have added new exploits in recent months, according to Talos.

Sundown also appears to have adopted a new approach to compromising systems. Unlike other kits that use just a single exploit to try and compromise a system, Sundown deploys its entire collection of malware tools against a potential victim. The approach, while noisy, appears designed to give the EK the best chance of breaking into a system, Talos said in the alert.

Sundown has changed in other ways as well. Previously for instance, the exploit kit would retrieve its payload via the web browser. The current version of Sundown retrieves the payload via the command line and the use of a Windows service for executing VBScript files.

The approach is similar to, and indeed appears borrowed from, the one used by another malware kit—RIG-v—to retrieve its payload. Sundown’s payloads now reside on a different server from the one it uses to host its landing page and exploit pages. “The use of different servers for hosting exploit payloads indicates that the actors behind Sundown may be experimenting with more complex infrastructure design for the exploit kit,” Brumaghin says.

One of the most significant changes to the Sundown EK campaign is the use of domain resellers to collect domains for hosting Sundown activity. The authors of the kit appear to be buying legitimately registered domains in bulk from resellers in an apparent bid to avoid blacklists and other filters. In many cases, the authors of Sundown are looking for domains that have been registered for at least one week to avoid filters that block domains that have just been registered.

“Several of the largest, most heavily leveraged Exploit Kits [such as] Angler, Neutrino, Nuclear, have largely disappeared from the threat landscape,” Brumaghin says. “Sundown has remained operational and this increased development and maturation may be indicative of their desire to fill the void left behind by the other larger exploit kits that have stopped operations.”

Related stories:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
technicalaccademy
50%
50%
technicalaccademy,
User Rank: Apprentice
4/11/2017 | 1:34:27 AM
Technology
Thanks for sharing the new threat in depleted exploitkit landscape.it is very helpful
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31922
PUBLISHED: 2021-05-14
An HTTP Request Smuggling vulnerability in Pulse Secure Virtual Traffic Manager before 21.1 could allow an attacker to smuggle an HTTP request through an HTTP/2 Header. This vulnerability is resolved in 21.1, 20.3R1, 20.2R1, 20.1R2, 19.2R4, and 18.2R3.
CVE-2021-32051
PUBLISHED: 2021-05-14
Hexagon G!nius Auskunftsportal before 5.0.0.0 allows SQL injection via the GiPWorkflow/Service/DownloadPublicFile id parameter.
CVE-2021-32615
PUBLISHED: 2021-05-13
Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection.
CVE-2021-33026
PUBLISHED: 2021-05-13
The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the ca...
CVE-2021-31876
PUBLISHED: 2021-05-13
Bitcoin Core 0.12.0 through 0.21.1 does not properly implement the replacement policy specified in BIP125, which makes it easier for attackers to trigger a loss of funds, or a denial of service attack against downstream projects such as Lightning network nodes. An unconfirmed child transaction with ...