Sundown EK – Stealing Its Way to the Top

Sundown is one of the newest Exploit Kits on the market these days, and like many up-and-coming exploit kits before it, this means that it is in under constant development.

With the recent disappearance of the Angler and Nuclear exploit kits, both big players in the EK scene, a gap has been left in the market; and although most of it has been filled by more prominent exploit kits, such as Neutrino and RIG, there seems to be enough room for smaller players such as Sundown to step up and grab their slice of the proverbial pie.

A little over a year ago, Kaffeine talked about Sundown in a blog post, describing it as nothing special and just "mentioning this EK is around". Until recently not much has been done by Sundown's developers to try and rise up into the list of bigger and more serious exploit kits, and unfortunately for them, even those recent attempts to improve still didn't feel very serious…

So in order to upgrade the capabilities of Sundown, the author decided to take the following measures:

  • Outsource the panel & DGA coding work to the "Yugoslavian Business Network"
  • Steal exploits from other EK and incorporate them to Sundown

In this blog post we will go through the recent changes in the Sundown code and discuss its newly incorporated (stolen) exploits.

Sundown's use of subdomains or, "fake domain shadowing":

Fig1

Figure 1: A Tweet from @edx mentioning Sundown starting to use subdomains

As spotted by edx, sundown started to use subdomains for their .top/.pw domains , but the domain names look like a cat walked on your keyboard, and thus suspicious as hell.

Recently, however, we encountered an instance of sundown that uses what looks like domain shadowing which appears to be an actor using sundown in a more sophisticated way:

It looks like the actor bought a soon-to-be-expired domain cheap in order to benefit from their good reputation, and pointed them to the ip address of the legitimate service no-ip, this method likely helps the subdomains, which point to a different malicious IP address, stay alive longer before they are blacklisted.

So let's take a look at the new landing page, shall we?

Fig2

Figure 2: The new Sundown landing page

So what have we here? Some new info.js file that is being loaded, a ".dec" function called with some encrypted data followed by document.write of the decrypted code.

Next, the HTML tag is closed, and another one is opened for no apparent reason with some more script stuff.

But this is probably not a bug, but rather a feature: Sundown adds this code, whose purpose we will discuss further down the blog, to every page, most probably using a php include such as:

<?php include 'leetdetection.html';?>

We poked a little and observed it add this script even to invalid requests made to the landing page. In the past, such requests used to simply display the YBN logo, and now along with this lovely logo one will also receive this mysterious script:

Fig3

Figure 3: The page that Sundown shows when you try to access its landing page incorrectly

Fig4

Figure 4: The lovely YBN logo

So what is info.js and the .dec function we keep encountering?

Fig5

Figure 5: A snippet from the info.js file

Encryption is great as long as you don't give away the key:

Fig6

Figure 6: The decryption key is stored in plain-text

So what was encrypted? An obfuscated script which is basically a base64 decode of more obfuscated data:

Fig7

Figure 7: The code that was encrypted with info.js

Let's go deeper down the rabbit hole:

The base64 decodes into yet another JavaScript function that abuses the xmldom res:// vulnerability to avoid detection by looking for security software on the victim machine, of course this resistance attempt is futile, this method is old and patched a while ago, and other exploit kits use a new and unpatched fingerprinting method.

Fig8

Figure 8: The code that was encoded by base64

Congratulations to all those who made it to the short blacklist of Sundown:

Fig9

Figure 9: A list of security products Sundown is checking to avoid detection

Ok, so this super-secret encoded stuff was just an old technique to avoid detection, so where is the actual exploit stuff??? "You promised a new shiny exploit…"

Let's check the 2nd HTML Document tag

The 2nd HTML Document contains 4 script tags, which are essentially the same script as the decoded script we found that use base64 to decode a string, so perhaps in a future update Sundown will use this same info.js to further encrypt these chunks as well…

The first script is CVE-2015-2419, stolen from Angler. (Pastebin)

The second script is a Silverlight exploit, CVE-2016-0034 stolen from RIG. (Pastebin)

The third script is the publicly available hacking team CVE-2015-5119. (Pastebin)

The last and fourth script is the shiny new exploit that was added, drumroll please:

Fig10

Figure 10: The 4th script that was encoded by base64

Fig11

Figure 11: Fiddler capture of the files loaded by the new Sundown landing page

Fig12

Figure 12: A snippet of the code in 96.swf that is used to unpack the Go_var1 binarydata

Ok, so what is this new mysterious 96.swf you ask?

It has some nifty binary data - could it be that Sundown has finally coded an exploit from scratch?

As you can see the "Anim" function is used to read the binary data which is XOR encrypted, and decrypt it. For readability purposes here is the same code with variables renamed:

Fig13

Fig 13: The XOR function with renamed variables

What we see here is a XOR decryption loop with a little twist. The XOR key is incremental, meaning that after each decrypted loop the XOR key value is incremented by 17. However, this is completely equivalent in cryptographic strength to a single XOR key, as the code increments it by a constant value.

This loop also does a sanity check at the beginning (line #5) to ensure that the first decrypted byte has the decimal value 70 (46 in hex) which corresponds to a first letter of the Flash file header (FWS).

We have written a simple python script to encode the binary data which is a 2nd stage flash exploit.

In order to use it, you need to extract the binary data from the flash file, you can use JPEXS FFDec or swfextract "swfextract -v -b 1 96.swf -o 1_Go_var1.bin"

Guess what is the 2nd stage flash? That's right, another stolen exploit, this time it is MagnitudeCVE-2016-4117

Fig14

Figure 14: The unpacked 2nd flash file in sundown

Fig15

Figure 15: A snippet of Magnitude's CVE-2016-4117

That's all folks, and the lesson for today it seems, is that there is no honor amongst thieves.

Trustwave Secure Web Gateway protects customers against the Sundown Exploit Kit.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.