Sundown Chronicles - Observations of an Exploit Kit's Evolution
Since the apparent deaths of the Angler and Nuclear exploit kits, we have seen elevated activity from other groups. While RIG and Neutrino have been the primary actors in the void left by Angler and Nuclear, Sundown has also been active and making strides to increase its share of the exploit kit marketplace. We previously analyzed Sundown in January, and while it remains a significantly less sophisticated kit than other EKs, its developers are quickly working to develop the kit's capabilities. Recently, we have seen a flurry of iterative improvements in the exploit kit, similar to the behavior seen during our observation in January.
In this analysis, we will not detail the components of the Sundown EK since we covered that in our previous post, but will highlight the most interesting observations over the past month. See here for additional insight on Sundown's structure through June 30th.
In the Sundown PCAP released on 2016-06-15, the landing page was a mish-mash of styles, including a section that appears ripped directly from RIG landing pages seen around April-May. This section actually caused some confusion as we saw detections for this version of the landing page mistakenly labeled RIG.
While reviewing Sundown activity, we found that the campaign was still active but the landing page structure changed enough to evade our previous signatures. At this point, Sundown had abandoned the RIG-ripoff tactic, and stuffed nearly everything into base64-encoded blocks with an overabundance of <body> tags.
For some reason, a completely unencoded Flash object remained on the landing page, which included a nice shellcode payload in a FlashVar named 'exec'! The shellcode is fairly basic, using urlmon.dll to fetch a malware payload.
Fig 4 - Shellcode downloads a malware payload from the highlighted URL
Close monitoring continued and although there weren't any notable changes to the landing page, we did some testing with an old VM that produced an interesting result. We did further testing and found that user-agents claiming to be Internet Explorer 6 caused a basic PHP backend to be dumped to the browser. This uncovered backend shows the construction of some static objects to serve on the landing page and a switch statement based on the results of a simple, but flawed, IE version check. The IE check causes the backend to select between two different payloads.
Besides the landing page inflation, we also began seeing delivery of a RAT known as NetWire or NetWiredRC. Identification was easy thanks to the thorough analysis and documentation by CIRCL, MalwareMustDie, and others.
However, this seems to be a slightly updated version of NetWire. It's previously been pointed out that the RAT uses a 76-way switch statement for parsing commands from the server, while the sample Sundown delivered provided for 82 cases.
The RAT was configured to communicate with 86t7b9br9.ddns[.]net (resolving to 62.210.14[.]117) on port 8980, but the server was rejecting connections at the time of analysis.
On checking Sundown again, we found some small changes compared to the landing page seen on July 1st. The same inflationary tactics are used on the landing page but the landing page comes in a few hundred kilobytes smaller, thanks in small part to stripping of many CRLFs from the HTML.
We noticed a very interesting change to the payload at this point: the exploit kit was actually delivering unmodified copies of PuTTY version 0.66. Visit infected website, receive PuTTY! We considered this could actually be useful if it wasn't likely to be a simple test payload.
With no interesting payload to investigate, we decided to do some poking at the infrastructure. We went looking for the backend admin panel, but instead we found a nice splash page. When browsing the landing page URL with no parameter, a simple HTML page with a meta tag meant to load another HTML page from a base64 encoded data tag.
It turned out that the HTML didn't actually load properly (it appears the meta refresh directive doesn't work in this case), but since the actual splash page was contained in the previously mentioned data parameter, we decoded the base64 blob. This turned out to be another HTML page, this time with data:image objects for background and foreground images, with the foreground image showing a logo for a "Yugoslavian Business Network".
This Russian Business Network inspired group may or may not be responsible for Sundown, but there does appear to be a German language group offering coding services on forums under the YBN moniker, with many commenters voicing their pleasure with the services.
In addition to the newly modularized landing page, we also discovered that Sundown's PuTTY service was shutdown to make way for actual malware delivery once again, with NetWire returning to the party.
We found a new malware payload: a version of Kasidet that adds a base64-encoding layer to its HTTP callbacks. This is new behavior compared with our previous analysis, where we reported it being dropped by malicious spam. Callbacks were attempted to hhggffppgttt[.]ru (resolving to 22.214.171.124 at the time of analysis), including the submission of a screenshot. Cleverly, the C&C server response with 404 status codes, but the 404 pages contained base64-encoded responses inside HTML comments.
Since the disappearance of the two top exploit kits, Angler and Nuclear, other kits will be fighting for market share. Sundown remains technically less sophisticated than others, but as we outlined in this analysis, Sundown's authors will surely keep making rapid updates to their code. Zscaler ThreatLabZ will continue monitoring the situation to ensure protection of Zscaler customers and provide relevant updates.