Sundown is one of the newest Exploit Kits on the market these days, and like many up-and-coming exploit kits before it, this means that it is in under constant development.
With the recent disappearance of the Angler and Nuclear exploit kits, both big players in the EK scene, a gap has been left in the market; and although most of it has been filled by more prominent exploit kits, such as Neutrino and RIG, there seems to be enough room for smaller players such as Sundown to step up and grab their slice of the proverbial pie.
A little over a year ago, Kaffeine talked about Sundown in a blog post, describing it as nothing special and just "mentioning this EK is around". Until recently not much has been done by Sundown's developers to try and rise up into the list of bigger and more serious exploit kits, and unfortunately for them, even those recent attempts to improve still didn't feel very serious…
So in order to upgrade the capabilities of Sundown, the author decided to take the following measures:
- Outsource the panel & DGA coding work to the "Yugoslavian Business Network"
- Steal exploits from other EK and incorporate them to Sundown
In this blog post we will go through the recent changes in the Sundown code and discuss its newly incorporated (stolen) exploits.
Sundown's use of subdomains or, "fake domain shadowing":
Figure 1: A Tweet from @edx mentioning Sundown starting to use subdomains
It looks like the actor bought a soon-to-be-expired domain cheap in order to benefit from their good reputation, and pointed them to the ip address of the legitimate service no-ip, this method likely helps the subdomains, which point to a different malicious IP address, stay alive longer before they are blacklisted.
So let's take a look at the new landing page, shall we?
Figure 2: The new Sundown landing page
So what have we here? Some new info.js file that is being loaded, a ".dec" function called with some encrypted data followed by document.write of the decrypted code.
Next, the HTML tag is closed, and another one is opened for no apparent reason with some more script stuff.
But this is probably not a bug, but rather a feature: Sundown adds this code, whose purpose we will discuss further down the blog, to every page, most probably using a php include such as:
<?php include 'leetdetection.html';?>
We poked a little and observed it add this script even to invalid requests made to the landing page. In the past, such requests used to simply display the YBN logo, and now along with this lovely logo one will also receive this mysterious script:
Figure 3: The page that Sundown shows when you try to access its landing page incorrectly
Figure 4: The lovely YBN logo
So what is info.js and the .dec function we keep encountering?
Figure 5: A snippet from the info.js file
Encryption is great as long as you don't give away the key:
Figure 6: The decryption key is stored in plain-text
So what was encrypted? An obfuscated script which is basically a base64 decode of more obfuscated data:
Figure 7: The code that was encrypted with info.js
Let's go deeper down the rabbit hole:
Figure 8: The code that was encoded by base64
Congratulations to all those who made it to the short blacklist of Sundown:
Figure 9: A list of security products Sundown is checking to avoid detection
Ok, so this super-secret encoded stuff was just an old technique to avoid detection, so where is the actual exploit stuff??? "You promised a new shiny exploit…"
Let's check the 2nd HTML Document tag
The 2nd HTML Document contains 4 script tags, which are essentially the same script as the decoded script we found that use base64 to decode a string, so perhaps in a future update Sundown will use this same info.js to further encrypt these chunks as well…
The last and fourth script is the shiny new exploit that was added, drumroll please:
Figure 10: The 4th script that was encoded by base64
Figure 11: Fiddler capture of the files loaded by the new Sundown landing page
Figure 12: A snippet of the code in 96.swf that is used to unpack the Go_var1 binarydata
Ok, so what is this new mysterious 96.swf you ask?
It has some nifty binary data - could it be that Sundown has finally coded an exploit from scratch?
As you can see the "Anim" function is used to read the binary data which is XOR encrypted, and decrypt it. For readability purposes here is the same code with variables renamed:
Fig 13: The XOR function with renamed variables
What we see here is a XOR decryption loop with a little twist. The XOR key is incremental, meaning that after each decrypted loop the XOR key value is incremented by 17. However, this is completely equivalent in cryptographic strength to a single XOR key, as the code increments it by a constant value.
This loop also does a sanity check at the beginning (line #5) to ensure that the first decrypted byte has the decimal value 70 (46 in hex) which corresponds to a first letter of the Flash file header (FWS).
We have written a simple python script to encode the binary data which is a 2nd stage flash exploit.
In order to use it, you need to extract the binary data from the flash file, you can use JPEXS FFDec or swfextract "swfextract -v -b 1 96.swf -o 1_Go_var1.bin"
Figure 14: The unpacked 2nd flash file in sundown
Figure 15: A snippet of Magnitude's CVE-2016-4117
That's all folks, and the lesson for today it seems, is that there is no honor amongst thieves.
Trustwave Secure Web Gateway protects customers against the Sundown Exploit Kit.