2016 saw a big shift in the exploit kit landscape, with many of the bigger players unexpectedly dropping out of action. The Nuclear exploit kit operations started dwindling in May, Angler disappeared around the same time Russia’s Federal Security Service made nearly 50 arrests last June, and then Neutrino reportedly went private and shifted to focus on select clientele in September. RIG and Sundown are now the most prominent exploit kits in circulation, gaining prominence shortly after Neutrino dropped out of active circulation.
Sundown is something of an outlier from typical exploit kits. It tends to reuse old exploits and doesn’t make an effort to disguise their activity. The URLs for Sundown requests for Flash files end in .swf, while Silverlight requests end in .xap. These are the normal extensions for these file types. Typically, other exploit kits make an effort to hide their exploits. In addition, Sundown doesn’t have the anti-crawling feature used by other exploit kits.
Recent use of Sundown/RIG
Sundown and RIG were both in the spotlight last September when a malvertising campaign was found to be distributing the CryLocker ransomware through the two exploit kits. Researchers first detected RIG pushing this ransomware as its payload on September 1, while Sundown started doing so on September 5. CryLocker was unique in that it used Portable Network Graphic (PNG) files to package the information stolen from the infected system. The PNG file was then uploaded to an Imgur album, where ransomware operators could access it easily while evading detection.
The developers of this particular malware gave their files a valid PNG header, but no image. The file only had the system information as ASCII strings. This makes it distinct from steganography, which hides secret messages, files, or information in an image.
Steganography Techniques used by Exploit Kits
Steganography is an advanced technique used to hide malicious code in an image to prevent signature based detection. It’s quite popular and has been used in several malvertising and exploit kit attacks. Earlier this year, the massive GooNky malvertising campaign used multiple techniques to hide their malvertising traffic, including moving part of malicious code into images to prevent detection. However, here the attackers didn’t really “hide” the data in the picture itself – they merely appended their malicious code at the end of the file.
In a more advanced case, Trend Micro researchers worked with colleagues in the security community to look into the steganography tactics used in the AdGholas malvertising campaign and its associated Astrum exploit kit. The campaign encoded a script into an image’s alpha channel, which defines the transparency of the pixels. The minor modification allows the malware designer to mimic a legitimate ad, with only a slight difference in color. This makes it more difficult for these malicious ads to be spotted and analyzed.
On December 27, 2016, we noticed that Sundown was updated to use similar techniques. The PNG files weren’t just used to store harvested information; the malware designers now used steganography to hide their exploit code.
The newly updated exploit kit was used by multiple malvertising campaigns to distribute malware. The most affected countries were Japan, Canada, and France, though Japanese users accounted for more than 30% of the total targets.
Figure 1. Distribution of the Sundown exploit kit targets from December 21 to 27
As we noted earlier, previous Sundown versions directly connected victims to the Flash exploit file on their landing page. In this updated version, the exploit kit’s malvertisement creates a hidden iframe that automatically connects to the Sundown landing page. The page will retrieve and download a white PNG image. It then decodes the data in this PNG file to obtain additional malicious code:
Figure 2. Steganography used in Sundown exploit kit infection chain (Click to enlarge)
Upon further analysis of the exploit code inside the PNG image, we found that it included the exploit code targeting CVE-2015-2419, a vulnerability in the JScript handling of Internet Explorer. A Flash exploit for CVE-2016-4117 is also retrieved by the exploit code. The landing page itself includes an exploit targeting another Internet Explorer (IE) vulnerability, CVE-2016-0189. All of these exploits have been patched and have been used by other exploit kits this the past year.
The malware dropped by Sundown here is the Chthonic banking Trojan (detected by Trend Micro as TSPY_CHTHONIC.A). Chthonic is a variant of the Zeus malware that was used in a PayPal scam last July.
Indicators of Compromise
The following domains were used by the Sundown Exploit kit with the matching IP addresses:
- xbs.q30.biz (220.127.116.11)
- cjf.0340.mobi (18.104.22.168)
The Chthonic sample has the following SHA1 hash:
The sample also used the following C&C server: