Endpoint Protection

Sundown exploit kit adds Internet Explorer exploit before any other kit 

08-24-2015 02:00 PM

Sundown 1.jpg

While tracking exploit activity, Symantec found that the Sundown exploit kit (EK) has started to take advantage of a recent Internet Explorer vulnerability known as CVE-2015-2444.

This seems to break the tradition of new exploit integration. The following table shows which exploit kits integrate the most recent exploits the fastest over the last three months:

Vulnerable software Angler EK Nuclear EK Neutrino EK Magnitude EK
Internet Explorer CVE-2015-2419 None None None
Silverlight CVE-2015-1671 None None None
Adobe Flash Player CVE-2015-5122
CVE-2015-5119
CVE-2015-0359
CVE-2015-3090
CVE-2015-0311
CVE-2015-5119
CVE-2015-0336
CVE-2015-5119
CVE-2015-0311
CVE-2015-3113
CVE-2015-3104
CVE-2015-3105

Table. Prominent exploit kits and the vulnerabilities that they targeted in the last three months

The table shows that the Angler exploit kit is the leader in integrating the latest exploits, followed by the Magnitude, Neutrino, and Nuclear exploit kits.

But the Sundown exploit kit has gone against the trend, becoming the first to integrate the CVE-2015-2444 exploit, which was first released to the public on August 12, 2015. Microsoft patched this bug in its security update MS15-079.

Symantec has observed attackers using Sundown to exploit this bug in watering-hole attacks and drop a back door Trojan onto computers. The attacks have primarily affected users in Japan.

Sundown 3 edit.png
Figure 1. Attacks primarily impact users in Japan

How the attacks work
In this campaign, the attackers injected an iframe into a legitimate website, which redirected users to a highly obfuscated landing page containing the Sundown exploit kit.

Sundown 4 edit.png
Figure 2. Obfuscated landing page of Sundown EK

When the user arrived on the landing page, the exploit kit checked the user’s computer for driver files associated with particular security software, controlled application environments (such as Sandboxie), and traffic-capturing tools. To avoid detection, the EK didn’t drop exploits if any of these products were present.

Sundown 5 edit.png
Figure 3. Exploit kit avoided dropping exploits if particular software was present

After checking for suitable conditions, the exploit kit attempted to exploit vulnerabilities in different software, including the recent Internet Explorer bug, CVE 2015-2444.

Sundown 6 edit.png
Figure 4. Exploit code

During this campaign, the exploit kit also took advantage of the following vulnerabilities:

If the kit successfully exploited any of these vulnerabilities, it dropped the payload Trojan.Nancrat onto the victim’s computer. This threat acts as back door and steals information from the compromised computer.

Symantec and Norton protection
Symantec and Norton products had detections in place for the Sundown exploit kit from the day it surfaced on underground marketplaces, so customers with updated antivirus and IPS signatures were protected against this attack. Users should ensure that they update their software regularly to prevent attackers from exploiting known vulnerabilities.

IPS

Antivirus

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Related Entries and Links

No Related Resource entered.