I have finally found Sundown EK without having someone give it to me or borrowed from another researcher. I actually found this from alerts of Magnitude EK and it is quite possible the malvertising site may actually lead to other EK’s. Alas, I was sent to Sundown EK and not Magnitude but this could be an indication that Sundown is using the same mechanisms to get visitors as Magnitude is known for (ads).
This version of Sundown did not use stenography and seemed relatively straight forward. A landing page, one Flash exploit and then a payload. The payload was Zloader which I have seen before being dropped by Sundown.
Anyway the files and pcap are available for download. Perhaps someone can figure out why I saw White Lotus EK exploits ET signatures. I hope the new IOC’s will be of use to the community.
Background Information on Sundown EK:
Sundown EK has changed so much over the past few months that I’m not sure any article can cover what it is today. Sundown is known to use parts of other exploit kits. Recently however it was reported that Sundown uses stenography however I did not see this occur in this sample.
- 140217-sundownzloader-> Contains pcapng and payload in password protected zip.
- 126.96.36.199 – onclickads[.]net – Malvertising
- 188.8.131.52 – onclkds[.]com – Malvertising
- 184.108.40.206 – petloversetc[.]com – Compromised Website
- 220.127.116.11 – ai.rqrzq[.]com – Sundown Landing Page
- 18.104.22.168 – dqg.rkrtk[.]com – Sundown Payload download
- 22.214.171.124 – gunsun[.]su – Zloader
- 126.96.36.199 – bedborder[.]su – Zloader
- Payload was z3qpfzic.exe -> VirusTotal
Details of infection chain:
(click to enlarge!)
- A malvertising URL searches for old versions of Flash and redirects to a compromised site.
- An iframe on the compromised site redirects to Sundown EK.
- ai.rqrzq[.]com and dqg.rkrtk[.]com is Sundown EK, from top to bottom -> Landing Page -> Flash -> Payload
- Dropped payload “z3qpfzic.exe”.
SHA256: 43e30e3a58772743ad3fa4ae75de1a06204219eb80fbfc53fdb884d830942d44 File name: z3qpfzic.exe Detection ratio: 6 / 58
- Known also as Terdot A, Zloader periodically sends data to a command and control.
- Interestingly I had some ET signatures for exploits used by White Lotus EK:
- ET CURRENT_EVENTS Possible WhiteLotus EK 2013-2551 Exploit 3 (A Network Trojan was Detected) 
ET CURRENT_EVENTS Possible WhiteLotus EK 2013-2551 Exploit 2 (A Network Trojan was Detected) 
ET CURRENT_EVENTS Possible WhiteLotus EK 2013-2551 Exploit 1 (A Network Trojan was Detected)