The Sundown exploit kit has matured to position itself as a major player within the exploit landscape.
With new, more significant strategies Sundown has found less obvious ways to attack users and spread malicious content, the Cisco Talos team noted. Talos had previously identified Sundown’s lack of sophistication and the tactic of "hiding in plain sight" last fall.
“Previously Sundown was using numeric subfolders and numeric file names with proper extensions,” Talos researchers said, in a blog. “That has now changed with this newer version of Sundown.”
Also of note is Sundown's approach to compromising systems. Most exploit kits will attempt a single exploit on a system to achieve compromise. Sundown throws its full arsenal at a potential victim—and it’s a large arsenal, with several added exploits, some lifted from the RIG or Angler EKs.
“Typically you will see the IE scripting vulnerability targeted as well as several malicious flash files,” the researchers said. “This approach is noisy but gives Sundown the best chance of successfully compromising endpoints.”
The added, “Sundown is an exploit kit in transition, it has stopped using calling cards and other easily ways to identify its activity. It is one of the few exploit kits adding any new exploits to their arsenal, albeit stolen. At the same time they consistently steal exploits and technologies from other people and competitors. The exploit kit landscape has been struggling to find its footing since the major players have left. It still appears to be in transition with RIG and Sundown being the primary players left as an option for those looking to compromise random victims while browsing the web.”
One of the most notable updates to the campaign is the use of domain resellers found in one active campaign, focused around the bulk purchase of expiring domains through auctions commonly held within the domain resellers market.
“We repeatedly encountered registrant accounts using the name ‘Stivie Malone’ while investigating Sundown activity,” it said. “There was also a common email address of stiviemalone@gmail[.]com. One thing that made this account interesting was the sheer number of domains the user owned….Looking back historically we have found a total of more than 3,000 domains.”
Looking deeper, the team uncovered a network of domain reselling and a history of bulk purchases of expired or soon-to-expire domains.
“Reselling of domains is a common tactic used by individuals to try and get value out of their already registered domains, especially if they are soon expiring,” the researchers noted. “In the case that the reseller does not plan to renew them, reselling allows them to get a bit of residual value out of them.
The price point of these domains fall between $0.10 and $0.60.
“For a relatively small price and using a digital currency these actors are able to obtain a large amount of domains,” the researchers said.
While Talos was working with GoDaddy on getting the domains seized, the activity from these accounts for Sundown effectively stopped and the actor pivoted.
“[They] had moved to full privacy protection mode,” researchers said. “Additionally, they were no longer leveraging GoDaddy in anyway instead moved to a registrar based out of Europe. Finally the user accounts found on namepros were also no longer being used and there was no additional activity seen even related to the sale of the existing domains.”
This suggests that an end goal in fighting EKs could be making the cost of entry outweigh the potential monetary reward for the criminal activity.
“Shutting down these domains and killing the registrant accounts is not going to stop these individuals forever, but it will force them to change and spend additional capital setting up new infrastructure from which to host their malicious content,” Talos concluded.