Zscaler ThreatLabZ, during our daily exploit kit (EK) tracking, have been seeing some changes in both RIG and Sundown EKs. We recently encountered a malvertising chain serving both EKs on subsequent visits, and decided to compile a quick look at the these cases.
Figure 1 - Graph showing the malvertising chains
Sundown Exploit Kit, as we have covered before, is relatively new to the EK scene. The developers aren't wasting much time however, and have been seen to make rapid changes to the kit, marking a general trend towards increasing complexity. We have seen this in all aspects of the kit, including their gate/redirector usage, leveraging of malvertising, landing page features and formats, and hosting infrastructure used.
Previously, we were seeing Sundown traffic mostly coming from infected websites, using very simple gates to redirect to the landing page. The domain "tdconsultantspecialists.com" was the main Sundown redirector we observed, until they moved to "corporatecompanybus.com".
Figure 2 - Sundown cycle from corporatecompanybus.com featuring domain shadowing
Following (or perhaps in conjunction with) the gate change, Sundown has moved further into malvertising, which now makes up the majority of our observed Sundown traffic. Sundown has also made some changes to their hosting infrastructure choices, and is looking like a more "professional" cybercrime operation recently, with what appear to be shadowed domains (registered at GoDaddy) utilized for landing page hosts. Subdomains are created on the shadowed accounts, yielding URL patterns that can make Sundown traffic look very much like RIG.
Figure 3 - Excerpt of recent Sundown landing page URLs
We've also begun seeing an interesting divergence in the hosting of landing page and payloads. In a recent case, the landing pages and payloads were served from different IPs and hostnames, however the case we present today features the same IP but different hostnames on different shadowed domains.
Figure 4 - Sundown EK cycle showing usage of different hostnames for payload delivery
While the hosting structure of Sundown has seen an improvement, the rapid development has been most evident in the landing page code. In July, we noticed Sundown deployed the latest IE exploit, CVE-2016-0189, as the sole payload of the landing page.
Figure 5 - Sundown EK briefly used CVE-2016-0189 as the sole landing page element
This was not to last, as they quickly integrated the exploit into the more typical Sundown landing page format. In a more recent episode, Trustwave's Spiderlabs spotted the addition of a fingerprinting code, however we have not seen this feature in our captured cycles, so the operators may have opted for the simpler, non-fingerprinted landing page since then.
Figure 6 - Sundown's new obfuscation layer, part 1
We spotted another change on the Sundown landing page: an additional obfuscation layer implemented in the PHP backend code. We encountered this last week and were also able to get a sneak peek at the backend code, which showed the implementation of a dynamic obfuscation layer. This layer uses a randomized 4-byte key in a simple XOR routine, with randomized variable names added to hinder analysis. The feature is quite simple, though, and perhaps for this reason, the authors ultimately removed the feature just as quick as they added it. Perhaps this is part of some kind of A/B feature-testing regime.
Figure 7 - Sundown's new obfuscation layer, part 2
In the wake of both Angler and Nuclear disappearing, RIG has taken a dominant position in the EK landscape. The RIG operators appear content, however, to iterate more slowly, with changes to the EK itself happening less frequently. That said, RIG EK authors have now made noticable changes to the landing page structure.
Figure 8 - RIG EK landing page with a brand new look
Where the RIG landing page was previously only lightly obfuscated, relying primarily on base64-encoded data, the new landing page is somewhat reminiscent of a previous Angler format, with an extended-ascii twist. Despite looking highly obfuscated at first glance, the landing page is easily decoded in two stages.
Figure 9 - The right pane features the fully decoded landing page
Besides RIG's inclusion into the EITest and (pseudo) Darkleech campaigns, we would also like to point out the changing hostname patterns being used. Some cases have used hostnames that might suggest a closer partnership with EITest (using 2 level hostnames in the .top TLD, similar to typical EITest-Neutrino cycles), but the historic pattern of [two-letter subdomain].[domain-shadowed-account].[tld] has been tossed aside. RIG has also been branching out into new hosting provider networks, with Host Sailor, OVH SAS, and OOO NPO Relcom joining Webzilla B.V. and OOO IT-Grad.
At this point, it's clear that the exploit kit landscape has been thoroughly shaken up since the disappearance of Angler and Nuclear (as we have covered in our round-ups and other EK-related blogs). This small update is meant to give a quick look at the latest techniques and trends used by RIG and Sundown. We will continue to monitor the situation, and provide updates to the community as usual.