CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Sundown EK – Stealing Its Way to the Top

Sundown is one of the newest Exploit Kits on the market these days, and like many up-and-coming exploit kits before it, this means that it is in under constant development.

With the recent disappearance of the Angler and Nuclear exploit kits, both big players in the EK scene, a gap has been left in the market; and although most of it has been filled by more prominent exploit kits, such as Neutrino and RIG, there seems to be enough room for smaller players such as Sundown to step up and grab their slice of the proverbial pie.

A little over a year ago, Kaffeine talked about Sundown in a blog post, describing it as nothing special and just "mentioning this EK is around". Until recently not much has been done by Sundown's developers to try and rise up into the list of bigger and more serious exploit kits, and unfortunately for them, even those recent attempts to improve still didn't feel very serious…

So in order to upgrade the capabilities of Sundown, the author decided to take the following measures:

  • Outsource the panel & DGA coding work to the "Yugoslavian Business Network"
  • Steal exploits from other EK and incorporate them to Sundown

In this blog post we will go through the recent changes in the Sundown code and discuss its newly incorporated (stolen) exploits.


Sundown's use of subdomains or, "fake domain shadowing":


Figure 1: A Tweet from @edx mentioning Sundown starting to use subdomains

As spotted by edx, sundown started to use subdomains for their .top/.pw domains , but the domain names look like a cat walked on your keyboard, and thus suspicious as hell.

Recently, however, we encountered an instance of sundown that uses what looks like domain shadowing which appears to be an actor using sundown in a more sophisticated way:

It looks like the actor bought a soon-to-be-expired domain cheap in order to benefit from their good reputation, and pointed them to the ip address of the legitimate service no-ip, this method likely helps the subdomains, which point to a different malicious IP address, stay alive longer before they are blacklisted.


So let's take a look at the new landing page, shall we?


Figure 2: The new Sundown landing page

So what have we here? Some new info.js file that is being loaded, a ".dec" function called with some encrypted data followed by document.write of the decrypted code.

Next, the HTML tag is closed, and another one is opened for no apparent reason with some more script stuff.

But this is probably not a bug, but rather a feature: Sundown adds this code, whose purpose we will discuss further down the blog, to every page, most probably using a php include such as:

<?php include 'leetdetection.html';?>

We poked a little and observed it add this script even to invalid requests made to the landing page. In the past, such requests used to simply display the YBN logo, and now along with this lovely logo one will also receive this mysterious script:


Figure 3: The page that Sundown shows when you try to access its landing page incorrectly


Figure 4: The lovely YBN logo


So what is info.js and the .dec function we keep encountering?


Figure 5: A snippet from the info.js file

Encryption is great as long as you don't give away the key:


Figure 6: The decryption key is stored in plain-text

So what was encrypted? An obfuscated script which is basically a base64 decode of more obfuscated data:


Figure 7: The code that was encrypted with info.js


Let's go deeper down the rabbit hole:

The base64 decodes into yet another JavaScript function that abuses the xmldom res:// vulnerability to avoid detection by looking for security software on the victim machine, of course this resistance attempt is futile, this method is old and patched a while ago, and other exploit kits use a new and unpatched fingerprinting method.


Figure 8: The code that was encoded by base64

Congratulations to all those who made it to the short blacklist of Sundown:


Figure 9: A list of security products Sundown is checking to avoid detection

Ok, so this super-secret encoded stuff was just an old technique to avoid detection, so where is the actual exploit stuff??? "You promised a new shiny exploit…"


Let's check the 2nd HTML Document tag

The 2nd HTML Document contains 4 script tags, which are essentially the same script as the decoded script we found that use base64 to decode a string, so perhaps in a future update Sundown will use this same info.js to further encrypt these chunks as well…

The first script is CVE-2015-2419, stolen from Angler. (Pastebin)

The second script is a Silverlight exploit, CVE-2016-0034 stolen from RIG. (Pastebin)

The third script is the publicly available hacking team CVE-2015-5119. (Pastebin)

The last and fourth script is the shiny new exploit that was added, drumroll please:


Figure 10: The 4th script that was encoded by base64


Figure 11: Fiddler capture of the files loaded by the new Sundown landing page


Figure 12: A snippet of the code in 96.swf that is used to unpack the Go_var1 binarydata

Ok, so what is this new mysterious 96.swf you ask?

It has some nifty binary data - could it be that Sundown has finally coded an exploit from scratch?

As you can see the "Anim" function is used to read the binary data which is XOR encrypted, and decrypt it. For readability purposes here is the same code with variables renamed:


Fig 13: The XOR function with renamed variables

What we see here is a XOR decryption loop with a little twist. The XOR key is incremental, meaning that after each decrypted loop the XOR key value is incremented by 17. However, this is completely equivalent in cryptographic strength to a single XOR key, as the code increments it by a constant value.

This loop also does a sanity check at the beginning (line #5) to ensure that the first decrypted byte has the decimal value 70 (46 in hex) which corresponds to a first letter of the Flash file header (FWS).

We have written a simple python script to encode the binary data which is a 2nd stage flash exploit.

In order to use it, you need to extract the binary data from the flash file, you can use JPEXS FFDec or swfextract "swfextract -v -b 1 96.swf -o 1_Go_var1.bin"

Guess what is the 2nd stage flash? That's right, another stolen exploit, this time it is MagnitudeCVE-2016-4117


Figure 14: The unpacked 2nd flash file in sundown


Figure 15: A snippet of Magnitude's CVE-2016-4117

That's all folks, and the lesson for today it seems, is that there is no honor amongst thieves.

Trustwave Secure Web Gateway protects customers against the Sundown Exploit Kit.

Latest SpiderLabs Blogs

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway

Overview A command injection vulnerability has been discovered in the GlobalProtect feature within Palo Alto Networks PAN-OS software for specific versions that have distinct feature configurations...

Read More


We all know the cybersecurity industry loves its acronyms, but just because this fact is widely known doesn’t mean everyone knows the story behind the alphabet soup groups of letters, we must deal...

Read More

Phishing Deception - Suspended Domains Reveal Malicious Payload for Latin American Region

Recently, we observed a phishing campaign targeting the Latin American region. The phishing email contained a ZIP file attachment that when extracted reveals an HTML file that leads to a malicious...

Read More