Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Sundown EK – Stealing Its Way to the Top

Sundown is one of the newest Exploit Kits on the market these days, and like many up-and-coming exploit kits before it, this means that it is in under constant development.

With the recent disappearance of the Angler and Nuclear exploit kits, both big players in the EK scene, a gap has been left in the market; and although most of it has been filled by more prominent exploit kits, such as Neutrino and RIG, there seems to be enough room for smaller players such as Sundown to step up and grab their slice of the proverbial pie.

A little over a year ago, Kaffeine talked about Sundown in a blog post, describing it as nothing special and just "mentioning this EK is around". Until recently not much has been done by Sundown's developers to try and rise up into the list of bigger and more serious exploit kits, and unfortunately for them, even those recent attempts to improve still didn't feel very serious…

So in order to upgrade the capabilities of Sundown, the author decided to take the following measures:

  • Outsource the panel & DGA coding work to the "Yugoslavian Business Network"
  • Steal exploits from other EK and incorporate them to Sundown

In this blog post we will go through the recent changes in the Sundown code and discuss its newly incorporated (stolen) exploits.

 

Sundown's use of subdomains or, "fake domain shadowing":

8128_19426598-ef75-43cb-8487-6eb413a442cb

Figure 1: A Tweet from @edx mentioning Sundown starting to use subdomains

As spotted by edx, sundown started to use subdomains for their .top/.pw domains , but the domain names look like a cat walked on your keyboard, and thus suspicious as hell.

Recently, however, we encountered an instance of sundown that uses what looks like domain shadowing which appears to be an actor using sundown in a more sophisticated way:

It looks like the actor bought a soon-to-be-expired domain cheap in order to benefit from their good reputation, and pointed them to the ip address of the legitimate service no-ip, this method likely helps the subdomains, which point to a different malicious IP address, stay alive longer before they are blacklisted.

 

So let's take a look at the new landing page, shall we?

10812_9abbf16c-8aa4-4371-8678-b1555de79a43

Figure 2: The new Sundown landing page

So what have we here? Some new info.js file that is being loaded, a ".dec" function called with some encrypted data followed by document.write of the decrypted code.

Next, the HTML tag is closed, and another one is opened for no apparent reason with some more script stuff.

But this is probably not a bug, but rather a feature: Sundown adds this code, whose purpose we will discuss further down the blog, to every page, most probably using a php include such as:

<?php include 'leetdetection.html';?>

We poked a little and observed it add this script even to invalid requests made to the landing page. In the past, such requests used to simply display the YBN logo, and now along with this lovely logo one will also receive this mysterious script:

9260_50a898d4-48da-434d-ae1f-da56e48a4081

Figure 3: The page that Sundown shows when you try to access its landing page incorrectly

7937_0f68b13e-9d70-4fa4-98a8-fde68cf743da

Figure 4: The lovely YBN logo

 

So what is info.js and the .dec function we keep encountering?

12078_d83c095c-3427-4616-93e8-34cef17a96bc

Figure 5: A snippet from the info.js file

Encryption is great as long as you don't give away the key:

9583_6167acf8-b920-4754-85f0-ac24f8c5f298

Figure 6: The decryption key is stored in plain-text

So what was encrypted? An obfuscated script which is basically a base64 decode of more obfuscated data:

10046_78b0a9de-03eb-4676-b212-da947bb4627f

Figure 7: The code that was encrypted with info.js

 

Let's go deeper down the rabbit hole:

The base64 decodes into yet another JavaScript function that abuses the xmldom res:// vulnerability to avoid detection by looking for security software on the victim machine, of course this resistance attempt is futile, this method is old and patched a while ago, and other exploit kits use a new and unpatched fingerprinting method.

10728_96c1ee7f-f30d-4991-9a5a-6d55db2d0a71

Figure 8: The code that was encoded by base64

Congratulations to all those who made it to the short blacklist of Sundown:

10728_96c1ee7f-f30d-4991-9a5a-6d55db2d0a71

Figure 9: A list of security products Sundown is checking to avoid detection

Ok, so this super-secret encoded stuff was just an old technique to avoid detection, so where is the actual exploit stuff??? "You promised a new shiny exploit…"

 

Let's check the 2nd HTML Document tag

The 2nd HTML Document contains 4 script tags, which are essentially the same script as the decoded script we found that use base64 to decode a string, so perhaps in a future update Sundown will use this same info.js to further encrypt these chunks as well…

The first script is CVE-2015-2419, stolen from Angler. (Pastebin)

The second script is a Silverlight exploit, CVE-2016-0034 stolen from RIG. (Pastebin)

The third script is the publicly available hacking team CVE-2015-5119. (Pastebin)

The last and fourth script is the shiny new exploit that was added, drumroll please:

8980_44b35431-01ac-4ad5-adf1-25b1e47edef7

Figure 10: The 4th script that was encoded by base64

9476_5b8b6789-f3a2-464a-a404-bea138515c5f

Figure 11: Fiddler capture of the files loaded by the new Sundown landing page

9946_7372f611-f802-4bf0-9773-12b58c9048c9

Figure 12: A snippet of the code in 96.swf that is used to unpack the Go_var1 binarydata

Ok, so what is this new mysterious 96.swf you ask?

It has some nifty binary data - could it be that Sundown has finally coded an exploit from scratch?

As you can see the "Anim" function is used to read the binary data which is XOR encrypted, and decrypt it. For readability purposes here is the same code with variables renamed:

12827_faf242a2-5598-4880-a71c-2a8efa8fbfaf

Fig 13: The XOR function with renamed variables

What we see here is a XOR decryption loop with a little twist. The XOR key is incremental, meaning that after each decrypted loop the XOR key value is incremented by 17. However, this is completely equivalent in cryptographic strength to a single XOR key, as the code increments it by a constant value.

This loop also does a sanity check at the beginning (line #5) to ensure that the first decrypted byte has the decimal value 70 (46 in hex) which corresponds to a first letter of the Flash file header (FWS).

We have written a simple python script to encode the binary data which is a 2nd stage flash exploit.

In order to use it, you need to extract the binary data from the flash file, you can use JPEXS FFDec or swfextract "swfextract -v -b 1 96.swf -o 1_Go_var1.bin"

Guess what is the 2nd stage flash? That's right, another stolen exploit, this time it is MagnitudeCVE-2016-4117

9325_5426d48c-7212-4a56-8231-0cbfb4b43a55

Figure 14: The unpacked 2nd flash file in sundown

10696_94ec0836-f16d-407a-96ec-43e474bb6e16

Figure 15: A snippet of Magnitude's CVE-2016-4117

That's all folks, and the lesson for today it seems, is that there is no honor amongst thieves.

Trustwave Secure Web Gateway protects customers against the Sundown Exploit Kit.

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo