Light Dark
November 3, 2016 By Larry Loeb 2 min read

Researchers from Cisco Talos reported an uptick in the use of second-tier exploit kits (EKs) for the delivery of malware.

Nuclear, Angler and Neutrino EKs — the main players in the arena — have all scaled back their operations, leaving a power void in the space. This enabled other contenders, such as the Sundown exploit kit, to make a run at the EK throne.

Introducing Sundown Exploit Kit

After a deeper look at Sundown, Talos researchers were surprised by what they found. To start, Sundown operates on a relatively small infrastructure footprint. At the same time, it runs one of the largest domain shadowing implementations Talos had ever seen. This is truly an asymmetrical approach.

While just a few IPs — researchers found only 10 — were directly linked to a campaign, Talos discovered that Sundown’s registrant accounts used more than 80,000 malicious subdomains that were associated with over 500 domains. The sheer number of domains renders traditional blacklisting solutions pretty much useless.

In addition, Sundown efficiently recycles the subdomains after use. This helps it avoid possible detection by not leaving a trail of visible past operations behind.

The Big Takeaway

Sundown is similar to other recent exploit kits in the way it operates. It features a landing page and an exploit page that contains a payload. The compromised landing page includes an iframe.

That iframe points to some location on the page that renders off screen, redirecting the browser to the exploit page. This exploit page evaluates the incoming victim for vulnerabilities before it delivers a malicious payload.

Sundown has quirks, to be sure. For one thing, it reuses exploits, and it also uses wildcard domains in its shadowing.

Lastly, the developers do not seem sophisticated enough to understand why they might want to hide the EK from sight. The colorful logo Sundown displays indicates the authors want to be seen and well-known.

“The big takeaway,” Talos researcher Nick Biasini told Threatpost, is that “Sundown is a much larger threat than people realize.”

 |  |  |  |  | 
Larry Loeb
Principal, PBC Enterprises

More from

July 26, 2024

Hive0137 and AI-supplemented malware distribution

12 min read - IBM X-Force tracks dozens of threat actor groups. One group in particular, tracked by X-Force as Hive0137, has been a highly active malware distributor since at least October 2023. Nominated by X-Force as having the “Most Complex Infection Chain” in a campaign in 2023, Hive0137 campaigns deliver DarkGate, NetSupport, T34-Loader and Pikabot malware payloads, some of which are likely used for initial access in ransomware attacks. The crypters used in the infection chains also suggest a close relationship with former…

July 25, 2024

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

July 24, 2024

Crisis communication: What NOT to do

4 min read - Read the 1st blog in this series, Cybersecurity crisis communication: What to doWhen an organization experiences a cyberattack, tensions are high, customers are concerned and the business is typically not operating at full capacity. Every move you make at this point makes a difference to your company’s future, and even a seemingly small mistake can cause permanent reputational damage.Because of the stress and many moving parts that are involved, businesses often fall short when it comes to communication in a crisis.…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature