Researchers at Trustwave have published a blog looking at the Sundown exploit kit. Sundown is one of the recent entrants into the exploit kit market. When it first appeared, malware researcher Kafeine described it on the Malware Don’t Need Coffee website as ‘nothing special’. But are things about to change?
The SpiderLabs team at Trustwave says that they might be. In a blog entitled ‘Sundown EK – Stealing its way to the Top’ the SpiderLabs team takes a closer look at Sundown. What they have discovered is that the author is outsourcing the development of the exploit kit and stealing from others. It will be interesting to see how much of the exploit kit market vacated by Angler and Neutrino, Sundown can grab.
Sundown using domain shadowing to look less obvious
Domain shadowing is the technique of using a lot of subdomains that appear to be part of a larger, more legitimate domain. Cybercriminals start by getting access to domain registrant accounts and then use that to allow them to launch their subdomains. They are hard to detect because the initial trace goes back to the legitimate domain. Subdomains have a very short life. This is to make it difficult for security teams to track them.
According to the blog, the Sundown author appears to have purchased an expiring domain to take advantage of their clean reputation. It was pointed at a legitimate service to disguise where visitors to the site were really being sent.
Sundown runs a series of scripts against users who land on its website. Some of these use encrypted data and this is where it gets amusing. It appears that the authors of Sundown have decided to store the encryption key as plain-text on the site. It is not the first piece of malware to leave the encryption key in clear-text and it won’t be the last.
If you can’t write it, steal it
Sundown deploys four different exploits to gain access to a target computer. It has taken all of these from other sources. The first three have been around for some time while the last was only discovered in May. All of the exploits have been patched by the companies whose software they exploit. The blog lists the four exploits as:
CVE-2015-2419, stolen from Angler. (Pastebin)
CVE-2016-0034 stolen from RIG. (Pastebin)
CVE-2015-5119 from the publicly available Hacking Team data (Pastebin)
CVE-2016-4117 a Flash exploit discovered by FireEye and used by both Angler and Neutrino
There is, of course, nothing wrong with reusing code. Enterprises do it all the time and hackers often share large amounts of code with each other. Sundown’s creator clearly sees this as a quick and cheap way to add new features. Using known exploits should make it easier for users with updated security software to spot
Conclusion
Neutrino was the biggest benefactor from the apparent demise of the Angler and Nuclear exploit kits earlier this year. It is not under pressure from many of the new entrants into this market who want it to share. Sundown is one of those who want a greater share of the exploit kit market. Will adding support for four known vulnerabilities and some additional front end coding be enough? It is unlikely but it does show that the author is looking to improve what they are doing.
