It’s been a tumultuous summer for exploit kits with the demise of Angler, Neutrino and Nuclear, for years each responsible for massive amounts of dollar losses and malware infections. Now, Cisco Talos security researchers are bracing for new entrants to fill the void, starting with the Sundown exploit kit.
Over the past six months, Sundown has become a significant threat responsible for a large number of infections. Researcher Nick Biasini told Threatpost that criminals behind Sundown have built an infrastructure of 80,000 malicious subdomains associated with more than 500 domains – each pointing to the Sundown. That ranks Sundown No. 2 behind RIG when it comes exploit kit prevalence, he said.
“In the last six months we have seen a major shakeup in the exploit kit landscape as a whole. You had the three biggest exploit kits ceasing operation for one reason or another. Angler, Nuclear and Neutrino are off the landscape,” Biasini said. “What we are left with is a second tier of exploit kits such as Magnitude, Sweet Orange and Sundown.”
Sundown, Biasini said, is a standout. “There are a couple interesting things that are setting Sundown apart from the pack,” he said. For starters, Biasini said, “we found a large volume of domain activity associated with these Sundown servers.”
Instead of using traditional domain shadowing techniques, Sundown criminals are using wildcards for subdomains which are exponentially growing the number of gates driving traffic to servers hosting the Sundown EK.
The wildcard domain technique is similar to domain shadowing, where a criminal surreptitiously buys up subdomains of a neglected domain to route traffic to an exploit kit. It also allows a criminal to use any combination of subdomain text to drive traffic to a server hosting the exploit kit.
For one Sundown campaign, Biasini said he observed during a 24-hour period a particular Sundown domain generating what appeared to be three subdomains a minute. “This seemed like an unruly amount of domains so we did a basic check and it appeared that this particular Sundown campaign was actually using wildcards for the domains they had been leveraging instead of traditional domain shadowing,” Biasini wrote in a blog explaining his findings.
Biasini said the volume and diversity of payloads used in tandem with Sundown doesn’t match that of the more mature RIG exploit kit. For example, traffic for RIG is at a high volume with it dropping a variety of payloads ranging from banking Trojans, info stealers, to loaders. Recent Sundown campaigns show only banking Trojans being pushed with little innovation when it comes to updates and diversity.
“The big takeaway is Sundown is a much larger threat than people realize,” Biasini told Threatpost. “We are in this weird flux time with (Angler, Neutrino and Nuclear) leaving. There is this vacuum for potentially millions of dollars in revenue to be made that an exploit kit like Sundown has an opportunity to step into.”
Further examination shows other levels of immaturity, according to Biasini. One clue as to the group of cyber criminals behind the Sundown EK is a calling card that includes the text “Yugoslavian Business Network” in the response from Sundown server headers.
Cisco also reports that Sundown primarily leverages Adobe Flash and Silverlight vulnerabilities. “All requests for Flash files end in ‘.swf’ and all Silverlight requests end in ‘.xap’ which isn’t particularly common for exploit kits as they typically will try and obfuscate the activity,” Biasini wrote.
Lastly, researchers were surprised by the persistence of servers hosting the Sundown EK. “In our experience in hunting exploit kits, the servers hosting the kits do not stay active for long. In the days of Angler this could be less than 12 hours to at most 48 hours. Some of the IPs that we have seen hosting Sundown have been active for weeks and in some instances months,” according to Biasini’s research.
He said IPs hosting illicit activity typically would be shut down by security providers. However, Sundown servers, located exclusively in the Netherlands, are still up and running despite Cisco notifying hosting companies of the activity weeks ago.
“It’ll be an interesting next six months to see where Sundown goes and where the exploit kits end up falling out and if there are any more that enter the landscape,” Biasini said.