Sundown exploit kit was detected in active malvertising campaigns last September. Naquela época, the exploit kit was delivering the CryLocker ransomware, together with the RIG EK. Infelizmente, security researchers at TrendMicro have discovered that Sundown has been recently updated meaning that an uptick in ransomware and malware attacks should be expected. Considering the nature of the hack tool, it may continue to be deployed in the distribution of both ransomware and malware. In the latest campaign, researchers detected chthonic banking Trojan being the payload of the operation.
Sundown exploit kit latest activity was detected on December 27, 2016, where attackers used PNG images to store the harvested information and the exploit code. In September’s attacks with the payload being the CryLocker ransomware, PNG files were also used to pack harvested user information. The images were then uploaded to an Imgur album so that cybercriminals could avoid detection.
Sundown Exploit Kit Steganography Capabilities
TrendMicro researchers have reported that the exploit kit was recently updated with steganography techniques. Como um resultado, the PNG files are now used not only to store harvested information but also designed to hide the exploit code:
On December 27, 2016, we noticed that Sundown was updated to use similar techniques. The PNG files weren’t just used to store harvested information; the malware designers now used steganography to hide their exploit code.
O que é esteganografia? It is an advanced technique deployed to hide malicious code into an image to bypass signature based detection. It’s a popular technique seen in malvertising attacks based on exploit kits. The GooNky malvertising campaign is a good example as it used multiple tactics to conceal the traffic, such as moving part of the malicious code into images to escape detection.
In this new Sundown exploit kit instance the attackers didn’t really conceal the data in the picture itself – they appended the malicious code at the end of the file, pesquisadores explicam.
The updated EK was seen in malvertising campaigns distributing malware in Japan, Canadá, e França, with Japanese users accounting for more than 30 percent of all the targets. See image below (by TrendMicro):
In this updated version, the exploit kit’s malvertisement creates a hidden iframe that automatically connects to the Sundown landing page. The page will retrieve and download a white PNG image.
CVE-2015-2419 Alavancado nos últimos ataques do kit Sundown Exploit
Researchers also uncovered that the exploit code within the PNG image also included an exploit code targeting the CVE-2015-2419 vulnerabilidade.
JScript 9 in Microsoft Internet Explorer 10 e 11 permite que atacantes remotos executem código arbitrário ou causem uma negação de serviço (corrupção de memória) via a crafted web site, aka “JScript9 Memory Corruption Vulnerability.”
além do que, além do mais, a Flash exploit for CVE-2016-4117 was also retrieved by the exploit code. The landing page itself includes an exploit targeting another Internet Explorer (IE) vulnerabilidade, CVE-2016-0189, nota pesquisadores.
Curiosamente, all of the above mentioned exploits have been patched and have been used by other exploit kits throughout 2016.
Protection against Sundown Exploit Kit and Other EKs
Exploit kits have been used on an industrial scale. They are automated toolkits that scan a user’s web browser, and analyze it for flaws to leverage before delivering the malicious payload. This means your browser should always be fully patched – never estimate the importance of security updates. Users should immediately install security fixes for all their software – as soon as patches are released.
In case a patch is not yet released, an attack relying on this vulnerability can still be deflected by up-to-date anti-malware software. Most such programs will detect and intercept the exploits attempting to take advantage of a flaw.
digitalizador Spy Hunter só irá detectar a ameaça. Se você quiser a ameaça de ser removido automaticamente, você precisa comprar a versão completa da ferramenta anti-malware.Saiba Mais Sobre SpyHunter Anti-Malware Ferramenta / Como desinstalar o SpyHunter