After the vanishing of Angler and Neutrino Exploit kits (EK), the underground cyber world of EK was left with only one major player with Rig EK. Pseudo-Darkleech and EITEST, the two most popular website compromise campaigns, both redirected their victims to Rig EK. However, a few days back, our systems recently detected a major change in this pattern. It was detected for the first time that the EITEST campaign leads its victims to Sundown EK. Sundown EK is a fairly new player in the world of EK and it appears that it is trying to grab a bite of this lucrative market.
Fig. 1 Compromised website with the EITEST script.
As we can see in Fig.1 above, the EITest campaign injects a script in the compromised website. The script simply creats a small ‘iframe’ and loads content from ‘http://eh.hlssn.com’
Fig. 3 DeObfuscated Script Loading Flash Exploits
Fig. 4: Sundown EK loading the IE Exploit For CVE-2016-0189
Fig. 5: Sundown EK loading the IE Exploit For CVE-2014-6332
If the target system has silverlight installed, the Sundown EK also servers exploit for CVE-2016-0034 via the ‘/site.php?id=logout’ uri.
For details analysis of the exploits, checkout our previous post on Sundown Exploit Kit
We send an http request to the server hosting the Sundown EK, it returns a base64 encoded webpage representing logo of the group allegedly responsbile for the operation of Sundown EK (See Fig. Below).
As we can see, the Sundown EK is updating itself with new exploits and infection mechanism. As a good practice all keep your systems updated with all the security patches made available by the vendors.