Security researchers from Cisco Talos made an in-depth investigation of the Sundown exploit kit which is used to distribute popular ransomware and Trojans.
What is The Sundown Exploit Kit
Sundown is a very popular exploit kit that is used to distribute dangerous ransomware strains and Trojans to various computer targets. Exploit kits are automated software that are configured by computer security experts that conduct penetration test and security audits and computer hackers to cause damage to vulnerable hosts. In essence they contain two important components:
- Assets – A collection of known software vulnerabilities usually imported from databases. The assets contain the code that exploits the security issues.
- Configuration – A set of options that the users can toggle to initiate various payloads, attack campaigns and scenarios.
The exploit kits can even have multiple interfaces – web, desktop or command-line. Depending on the developers some may be paid, open-source or distributed as part of a complete cyber security suite.
The Sundown Exploit Kit In Detail
The Sundown exploit kit has delivered some of the most popular and dangerous ransomware strains and Trojans that came out in the last few months. According to the Cisco Talos security researchers this is an advanced second generation exploit kit that uses advanced techniques to spread the loaded payloads.
A thorough security analysis shows that the kit operates on a relatively small infrastructure footprint however it does posses one of the largest domain shadowing implementations. The observed attack campaigns shows that they operate of a limited number of IP addresses. The surprising discovery was that these addresses were in fact used with more than 80 thousand subdomains which are associated with more than 500 top level domains.
The attackers have used a diverse number of registrant accounts to conceal the initial registration records making identification very hard. As a result of all of this measures the Sundown exploit kit can evade with ease almost every traditional blacklisting solution. The hacker operators of the kit are also adept at switching the domains and recycling the discovered ones during the aggressive attack campaigns.
The foundation of the kit is fairy similar to other similar software – the program has a landing page that leads to the exploit payloads menu. Like most exploit kits a gate is used as an initial point of redirection. Most of the targets are infected through one of the two popular vectors – hacked sites and social engineering tricks.
The observed hacker-controlled sites feature an iframe injection that executes malicious code. The attacker code runs a system scam that checks if the system components are vulnerable. The malicious payload is then delivered after the check is complete.
Two particular types of software vulnerabilities have been identified with the Sundown exploit kit – security bugs in the Adobe Flash and Microsoft Silverlight plugins. The researchers observed that the payloads used the standard extensions – SWF for Adobe Flash and XAP for Silverlight which is not common for most exploit kit. This is different from the usual behavior as other software try to obfuscate the attacking payload during the intrusion phase.
Sundown Exploit Kit Attack Campaigns
Cisco Talos researchers observed several attacks campaigns during their research. A particularly interesting characteristic of the software is that the compromised servers that host the exploit kit are maintained as long as possible. An interesting fact is that the observed hosts were all located in The Netherlands.
During the investigation only 10 unique addresses were found. The DNS analysis showed that the kit was linked to more than 80 unique subdomains. However most of them were extremely short-lived, some of them were active for less than an hour.
For a 24 hour period of time Sundown generated approximately 3 subdomains a minute revealing that the attack was using wildcards for the domain instead of a traditional domain shadowing technique.
Who is Behind the Sundown Exploit Kit
There is no information about who is responsible for the exploit kit. Some security experts believe that the software is operated from an underground hacker collective that may also be behind some of the ransomware that have been distributed in the attack campaigns. Some limited evidence for this theory is the fact that whole new ransomware samples have been identified in live attacks that have been delivered using exactly this exploit kit.
Furthermore Cisco Talos security uncovered an interesting artifact. During the analysis the team found out that the compromised servers contained an encoded binary blob that is served in a meta tag. After they decoded the file they discovered that the operators of the Sundown exploit kit have devised a logo image bearing the name Yugoslavian Business Network.
All of this shows that this is a very advanced threat that should not be taken lightly by both system administrators and individual computer owners. For more detailed information on the matter you can read Cisco Talos’s complete blog post.