While tracking exploit activity, Symantec found that the Sundown exploit kit (EK) has started to take advantage of a recent Internet Explorer vulnerability known as CVE-2015-2444.
This seems to break the tradition of new exploit integration. The following table shows which exploit kits integrate the most recent exploits the fastest over the last three months:
|Adobe Flash Player
Table. Prominent exploit kits and the vulnerabilities that they targeted in the last three months
The table shows that the Angler exploit kit is the leader in integrating the latest exploits, followed by the Magnitude, Neutrino, and Nuclear exploit kits.
But the Sundown exploit kit has gone against the trend, becoming the first to integrate the CVE-2015-2444 exploit, which was first released to the public on August 12, 2015. Microsoft patched this bug in its security update MS15-079.
Symantec has observed attackers using Sundown to exploit this bug in watering-hole attacks and drop a back door Trojan onto computers. The attacks have primarily affected users in Japan.
Figure 1. Attacks primarily impact users in Japan
How the attacks work
In this campaign, the attackers injected an iframe into a legitimate website, which redirected users to a highly obfuscated landing page containing the Sundown exploit kit.
Figure 2. Obfuscated landing page of Sundown EK
When the user arrived on the landing page, the exploit kit checked the user’s computer for driver files associated with particular security software, controlled application environments (such as Sandboxie), and traffic-capturing tools. To avoid detection, the EK didn’t drop exploits if any of these products were present.
Figure 3. Exploit kit avoided dropping exploits if particular software was present
After checking for suitable conditions, the exploit kit attempted to exploit vulnerabilities in different software, including the recent Internet Explorer bug, CVE 2015-2444.
Figure 4. Exploit code
During this campaign, the exploit kit also took advantage of the following vulnerabilities:
If the kit successfully exploited any of these vulnerabilities, it dropped the payload Trojan.Nancrat onto the victim’s computer. This threat acts as back door and steals information from the compromised computer.
Symantec and Norton protection
Symantec and Norton products had detections in place for the Sundown exploit kit from the day it surfaced on underground marketplaces, so customers with updated antivirus and IPS signatures were protected against this attack. Users should ensure that they update their software regularly to prevent attackers from exploiting known vulnerabilities.