Sundown Becomes a Rising Star on the EK Scene

Sundown Becomes a Rising Star on the EK Scene

There’s a new-ish kid on the block when it comes to exploit kits (EKs): Sundown. And over the last six months it has risen in the ranks to become the No. 2 EK, behind RIG.

An examination from Cisco Talos shows that the Sundown EK, despite operating on a relatively small infrastructure footprint, has what appears to be one of the largest domain-shadowing implementations out there. It has recently been exclusively delivering banking trojans.

“The campaign operated out of a handful of IPs, but we ended up finding in excess of 80K malicious subdomains associated with more than 500 domains leveraging various registrant accounts,” said researcher Nick Biasini, in an analysis. “This translates into a kit that will largely evade traditional blacklisting solutions.”

Sundown is highly vigilant and the subdomains in use were recycled quickly to help in avoiding detection. In some cases, it appeared to use single-use domain-shadowing, which is incredibly difficult to stop by using blacklisting. During Cisco Talos’ monitoring, the amount of subdomains registered in a given day reached a peak of slightly more than 4,300. For a 24-hour period, one Sundown campaign was seen generating approximately three subdomains a minute for the entire day.

Interestingly, Sundown is not historically one of the big guns. Cisco Talos explained that it has previously been part of a second tier of exploit kits that includes Magnitude and Sweet Orange.

“These kits successfully compromise users, but typically are not accompanied with the advanced techniques and wide-spread use of the other major exploit kits,” Biasini noted. “It's not to say these kits aren't significant threats, but from a potential victim perspective they historically do not have the reach associated with other EKs from before such as Angler or RIG.”

But in the last six months, the exploit kit landscape has seen some major changes, including the Nuclear EK ceasing operations in April/May, and arrests in Russia coinciding with the end of Angler in June. Recently, Neutrino also has been added to the list of exploit kits that have stopped being actively used in 2016.

“What remains is a group of smaller exploit kits vying for pole position in an industry that continues to generate millions of dollars from payloads such as ransomware and banking Trojans,” researchers said.

The thousands of Sundown subdomains are associated with several hundred different domains; the majority of which were owned by two distinct registrant accounts, hosted in the Netherlands. But despite the Dutch connection, the authors of the kit aren’t exactly interested in obfuscation. They’ve created a brand identity for themselves (complete with a logo): The Yugoslavian Business Network.

“The fact that they re-use exploits, wildcard domains and don't take much effort to hide their kit from sight indicates that they either lack the sophistication we have seen from other kits or plainly don't care to hide their activity,” Biasini said. “It also shows that you don't need sophistication to compromise users. It will be interesting to watch how this landscape changes over the next six months to a year. It's obvious that there is a major opportunity for some motivated miscreants to enter the exploit kit market.”

Photo © Markus Gann

Source: Information Security Magazine