Summary:

Today I found a strange instance of Rig EK. I was presented with the landing page directly without it being silently loaded via an iframe, etc. There was no Flash exploits used against me as well. An old style Rig EK URL from another Rig EK domain downloaded a payload. It was possible the download was split.

The payload was Smoke Loader which is a loader that downloads additional malware known as plugins. It has been dropped before by Rig EK though last month it was seen to be dropped by Sundown EK. Now that Sundown EK is dead it looks like it is shifting back to Rig EK.

Hope you enjoy this seemingly unusual instance of Rig EK. Smoke Loader is a very interesting malware so I will be looking into it in more detail.

I also had a recommendation to split the pcaps and artifacts so I have done that.

Background Information:

• A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

• In depth look at Smoke Loader:

https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/

Downloads (in password protected zip)

• 290317-RigSmoke – Pcap of Rig and Smoke Loader traffic. Note I was using a proxy so IP addresses won’t nessesarily match the rest of this article.
• 290317-SmokeLoader-> Smoke Loader (hosted on FileDropper because WordPress issues, long story..)

Notable Details:

• 173.208.245.114 – sextosex.club – Gate 1
• 23.238.19.56 – freecouponcodes.ga – Gate 2
• 92.53.124.144 – name.bellofpeace.org – Rig EK
• 46.173.214.185 – city.urbanpicker.com – Rig EK (old pattern)
• 104.96.50.180 – adobe.com – Smoke Loader Connectivity
• 112.78.9.34 – mailsrv.xsayeszhaifa.bit – Smoke Loader CnC
• 60.26.136.1 – mailserv.nutsystem323z.bit – Smoke Loader CnC
• 83.96.168.183 – nutsystem3.bit – Smoke Loader CnC
• Payload was faummt45.exe-> VirusTotal (fbe635771408899275746442a499c7cc36f602fa8028863b9b20b66e48568199)

Details of infection chain:

(click to enlarge!)

A strange Rig EK drops Smoke Loader. Note the Rig EK flow contains an old Rig Pattern and the landing page URL seems to be directly accessed. Smoke Loader downloads additional malware known as plugins.

Full Details:

• Two 302 redirects to Rig EK
• This Rig EK did not use a Flash exploit against me.
• The Rig EK flow also included one old URL style Rig EK which was very peculiar. I was also presented with the landing page directly without it being silently loaded via and iframe, etc.
• 
• The Payload was Smoke Loader.
• Smoke Loader added itself to startup and prevented itself from being manually terminated. It also minimised Process Explorer when ever it was loaded up.
• Smoke Loader copied itself into a hidden folder in Roaming. This file has the same hash as the payload downloaded. When the system is rebooted the show hidden files option is reverted to default.
• Smoke Loader downloaded one additional “plugin” and I’m sure it would have fetched more over time.
• There was an executable added to startup called “Macromedia” but I was unable to copy this file as it was “in use” and I could not terminate Smoke Loader.

This slideshow requires JavaScript.

Summary:

This was a great find, Terror EK in the wild from malvertising. The landing page appeared to be in the compromised site itself and was not loaded from an iframe, etc. The site just displayed jibberish (Lorem Ipsum). The EK used three Flash files, attempted a Silverlight exploit and triggered several interesting ET signatures. There was also almost no obfuscation of the code as well.

The payload was Tofsee and a thanks goes to @Antelox for confirming it. Tofsee is a spambot known to send spam emails. It has been dropped by Rig EK in the past. I did not see much email traffic however I was using a proxy which may have caused some traffic to not be logged.

Anyway this is a great find and I hope you can gain a lot of information from it.

Background Information:

A few articles and samples on Terror exploit kit:

https://www.trustwave.com/Resources/SpiderLabs-Blog/Terror-Exploit-Kit–More-like-Error-Exploit-Kit/

http://www.broadanalysis.com/2016/06/13/rig-exploit-kit-from-5-200-55-156-sends-tofsee-spambot/

Article on Tofsee:

https://www.cert.pl/en/news/single/tofsee-en/

Downloads

• 230317TerrorTofsee-> Contains pcapng, payloads and flash files in password protected zip.

Notable Details:

• 52.29.235.194 – eu4.echo-ice.com- Part of  a malvertising chain
• 173.208.245.114 – paydayloanservice.net – Part of a malvertising chain
• 128.199.233.119 –  Terror EK Traffic
• 103.48.6.14– Tofsee Post Infection
• 111.121.193.242 –  Tofsee Post Infection
• Payload was Tofsee Spambot (rad6AC11.tmp.exe created kxuepssx.exe)

Details of infection chain:

(click to enlarge!)

Terror EK via malvertising drops Tofsee spambot. I have added the IP addresses in here manually. The PCAP uses a proxy IP.

Full Details:

• The malvertising chain let to a website that contained jibberish but also hosted the entire landing page with little to no attempt to obfuscate it. Below is a snippet:
• Terror EK uses a variety of exploits and has three different Flash files. The Flash files had not been uploaded to VT before for over a year.

• SHA256:	d7919a2c2a03e96200858fe2c8a405af1ae40f0590937f9a1a8b076f1d341c27
  File name:	dafsg.swf
  Detection ratio:	34 / 56

• SHA256:	55eea72f4fdf639987fc80789040dc1e98091c4adf8f30aebaba86d15f3aae06
  File name:	oiuhygnjda.swf
  Detection ratio:	27 / 56

• SHA256:	6e16ddfcf4c5f557f0f64ee8a4f16741e79dbe29acb43eccab87329116e88b9e
  File name:	wdioj124.swf
  Detection ratio:	21 / 56

• The payload was Tofsee, thanks to @Antelox for confirming this. It actually dropped two payloads but they both had the same hash despite one having the old style “rad” naming.
  

  SHA256:	db04e22734b479bb49e55ab362f1a1c0378d7952ff7b6e3fe7916a11c3e6c84f
  File name:	Carciofo.exe
  Detection ratio:	16 / 61

  Invincea

  backdoor.win32.tofsee.f

• SHA256:	99d639df944351a1c77279ca0da31d80ce9e9d5a3bde1850a1ffca10dcc0f6c9
  File name:	kxuepssx.exe
  Detection ratio:	10 / 61

  Invincea

  backdoor.win32.tofsee.f

• Tofsee added itself to startup, listened on random ports and began to send emails.
• 
• ET Signatures

Summary:

This is the first time I have found Magnitude in the wild and also the first time I have looked at it. Magnitude has been around for a long time so I don’t expect much would have changed with this sample compared to older ones. It is known to drop Cerber Ransomware however in this sample it failed to download the payload properly.

I’m not sure why it failed but during the initial bombardment of exploits my browser struggled and crashed which may have interrupted a flow as I reloaded the browsers causing seemingly another chain to kick off.

There is still lots to look at with this EK so the PCAP and the Flash File which only had one detection on VT at the time of upload is at your leisure.

Background Information:

• A few articles and samples on Magnitude exploit kit:

https://community.rsa.com/community/products/netwitness/blog/2017/02/09/magnitude-exploit-kit-under-the-hood

http://www.broadanalysis.com/2016/06/27/magnitude-exploit-kit-sends-cerber-ransomware-via-malvertising/

http://www.malware-traffic-analysis.net/2016/08/10/index.html

https://www.zscaler.com/blogs/research/top-exploit-kit-activity-roundup-winter-2017

Downloads

• 220317Magnitude-> Contains pcapng in password protected zip.

Notable Details:

• 174.137.155.139– xml.pdn-3.com- Part of  a malvertising chain
• 176.31.47.10 – perfectvapes.net – Dummy site with Gate One
• 5.39.113.178 – 3x10ft768i390e4egam.mowecat.com- Site with Gate one redirects to Magnitude EK
• 85.25.253.164– cue66wa74428.aimharm.cricket – Magnitude EK
• Payload failed to download.
• Flash File on VirusTotal only had one detection at the time of upload.

Details of infection chain:

(click to enlarge!)

Magnitude EK used a variety of exploits however the payload failed to download correctly.

Full Details:

• Magnitude is found via malvertising chains exclusively in the Southeast Asia region.
• There seems to be several flows but I will list the interesting parts.
• The first gate contains obfuscated code which redirects to the second gate
• The second gate redirects to Magnitude EK again using obfuscated code.
• There appears to be two parts to the landing page on separate URL’s. This is a snippet of the first one.
• This is a snippet of the second part of Magnitude EK. It begins by using VBScript:
• I won’t claim to know exactly what exploits Magnitude used. I know it has used at least the following CVE-2013-2551, CVE-2015-7645 and CVE-2016-4117. The latter is a Flash exploit. The Flash file only had one detection on VT at the time of upload. That vendor identified it as “SWF/Magnitude.Gen” specifically.

• SHA256:	0e2b5b20706353924e9a6f7a1568ae4076d4620d45f15346dab8e8c3bfdc59b3
  File name:	e2gd3fads5
  Detection ratio:	1 / 55

  Antivirus	Result	Update
  AhnLab-V3	SWF/Magnitude.Gen	20170322

Summary:

I have been tracking a Rig EK campaign that drops Bunitu. It appears to be cycling domains often. I originally found it via my usual malvertising chain. Every site always has an iframe to another domain usually on the same IP which then leads to Rig EK. I believe the gate requires a correct referrer in order to appear. I’m not sure if this gate exists anywhere else in the wild or whether it is unique to the threat actors behind Bunitu.

If you review the picture below you can see initial iframe has the width and height of 303 and every iframe redirecting to Rig EK has the “small” tag.

Background Information:

• A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

• Article on Bunitu Trojan:

https://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/

Downloads

• 180317RigBunitu-> Contains pcapng and payload  in password protected zip.

Notable Details:

• 78.46.232.211– lieerotic09.info – Compromised Site
• 78.46.232.211 – lifeerotic088.info – Compromised Site
• 188.225.35.252 – free.myratcity.com – Rig EK
• 172.137.242.38– a.nextgiftrard.com – Bunitu DNS Lookup
• Payload was pt2p6gun.exe -> VirusTotal

Details of infection chain:

(click to enlarge!)

Rig EK delivers Bunitu proxy trojan. Bunitu opens random ports which turns the host into a proxy.

Older analysis shows the threat actors cycling domains. The gates are similar and Bunitu is always dropped.

Full Details:

• A site usually found via malvertising contains an iframe to another domain hosted on the same IP. This domain has an iframe to Rig EK.
• free.myratcity.com-> Landing Page -> Flash  -> Payload
• Dropped payload “pt2p6gun.exe” which was identified as Bunitu. Confirmed by @Antelox

• SHA256:	4a94be07c97d5dd10515edc017b5e9ecc4c33e50eb49fc463806270bde11b4ad
  File name:	pt2p6gun.exe
  Detection ratio:	27 / 60

• Bunitu uses a DLL called nillvzs.dll.
  

  SHA256:	44467fa50dee885fd2b2e690ae12c9ceda099919fab36c055d8d4475557d95a0
  File name:	netrowa.dll
  Detection ratio:	24 / 60

• Bunitu opens random ports by changing firewall settings and allows the host to become a remote proxy.
• Below is an old screenshot showing ports being opening and an established connection.

Bunitu opens ports by changing firewall rules.

Summary:

I’ve been looking at this compromised site for a days now. It had previous dropped Chthonic ZeuS variant and other times no payload at all. The iframe that contains the redirect is not hidden. On one occasion it failed to connect to Rig EK which was displayed as an error within the iframe.

This time the payload was Panda ZeuS variant. It would not run properly in my VM or online sandboxes. So once again I sought the help of @Antelox who quickly identified it as ZeuS variant Panda banker. Looks like I’ll have to try to harden my environment a bit as it appears to have evasive capabilitiies

Background Information:

• A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

• In depth look at web injects from Panda:

https://cyber.wtf/2017/02/03/zeus-panda-webinjects-a-case-study/

Downloads

• Rig170217-> Pcap and exe in password protected zip.

Notable Details:

• 78.140.191.92 – go.oclasrv.com – Starting Ad Server
• Multiple 302 redirects lead to compromised site
• 108.61.210.80 – fuel.psorheads.com – Compromised Site
• 188.225.32.62  – free.learntoridemotorcycle.com – Rig EK
• Payload was ur4m03gi.exe-> VirusTotal

• Failed run from a few days ago:
• 78.140.191.217 – go.onclasrv.com – Starting Ad Server
• Multiple 302 redirects lead to compromised site
• 108.61.210.80 – fuel.psorheads.com – Compromised Site
• 188.225.38.164  – art.carondeletevents.com – Rig EK

Details of infection chain:

(click to enlarge!)

Malvertising leads to Rig EK. Panda did not run in my environment.

Previous attempt a few days ago, Rig EK did not drop payload.

Full Details:

• A malvertising chain used multiple 302 redirects.
• iframe to Rig EK on the compromised website
• free.learntoridemotorcycle.com -> Landing Page -> Flash  -> Payload
• Dropped payload “ur4m03gi.exe”

• SHA256:	ed59bddd2c6122fff7c4cd622f61b3e515dcf8908bac90426bb495d3f89a2263
  File name:	ur4m03gi.exe
  Detection ratio:	18 / 60

• This was identified as Panda which is a ZeuS variant by @Antelox.
• The payload ran for around 30 seconds before creating a .bat file which it executed in order to delete itself.
• Below are some additional Rig EK landing page URL’s.
• The parameters “qtuif”, “fix” and “que” are very new additions however spot the pattern in the “q” parameter which has not changed 🙂
• 

Summary:

Over the past few days I’ve been looking at Cerber for any changes and trying to track Sundown. I have received information to believe  that Sundown is no longer operational. Anyway I returned to my usual malvertising chain but I was unable to capture the traffic as accurately as before.

This time the payload was Chthonic which is a ZeuS variant. At first I could not identify the sample so requested the help of @Antelox who quickly identified it. Upon further investigation I noticed the DNS requests which I recognised from reading MalwareTraffic in the past. I then checked my ET signatures and found one for Chthonic.

Always good to see different variants of malware and from other sources other than PseudoDarkleech and EITest.

Background Information:

• A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

• Oldish article regarding Chthonic banking trojan:

https://securelist.com/blog/virus-watch/68176/chthonic-a-new-modification-of-zeus/

Downloads

• rigchthonicPCAP -> Pcap in password protected zip. (2nd pcap has CnC traffic)
• 130317rigchthonic-> Payload (Chthonic) in password protected zip. Unfortunately I have to use File Dropper, having a few issues with getting this file on my site.

Notable Details:

• Multiple 302 redirects lead to compromised site
• 108.61.210.80 – fuel.psorheads.com – Compromised Site
• 5.200.52.240 – dfg.twitttwoo.co.uk – Rig EK
• 45.56.117.118 – pationare.bit – Chthonic Domain Lookup
• 144.76.133.38 – pationare.bit – Chthonic Domain Lookup
• 89.18.27.34 – pationare.bit – Chthonic Domain Lookup
• 144.76.133.38 – avaneredge.bit – Chthonic Domain Lookup
• 89.18.27.34 – avaneredge.bit – Chthonic Domain Lookup
• Payload was 73mendjd.exe -> VirusTotal

Details of infection chain:

(click to enlarge!)

Malvertising chain led to Chthonic.

Full Details:

• A malvertising chain used multiple 302 redirects. I had some issue capturing all the traffic so it is not all listed in the image above.
• iframe to Rig EK on the compromised website
• dfg.twitttwoo.co.uk  -> Landing Page -> Flash  -> Payload
• Also to note there are slight changes in Rig EK’s URL patterns. The parameters “fix” and “que” are present although not shown in the picture.
• Dropped payload “73mendjd.exe” which is different to the usual “rad” themed ones.

• SHA256:	ecd0a876582ec3e104aac27b93ba59e388ee822c33917deef3599b30a9c47352
  File name:	73mendjd.exe
  Detection ratio:	9 / 59

• This was identified as Chthonic which is a ZeuS variant by @Antelox.
• Chthonic lay idle for some time in processes. It eventually created a fake Silverlight executable and deleted the original payload and forced a reboot.
• After reboot the malware had added a start up entry.
• No POST traffic was observed.

Summary:

Found this compromised site by chance. The payload was identified as ZeuS Panda by @Antelox who stated the C2’s were offline. I presume this is why there was no further infection.

As there was not much to say here, I shortened the picture. It seems to be regular Sundown EK.

Background Information on Sundown EK:

Sundown EK has changed so much over the past few months that I’m not sure any article can cover what it is today. Sundown is known to use parts of other exploit kits. It has also been reported that the source code of Sundown has leaked:

https://www.digitalshadows.com/blog-and-research/sun-to-set-on-bepssundown-exploit-kit/

Newish article on ZeuS Panda:

https://blog.gdatasoftware.com/2017/02/29469-zeus-panda-is-back

Downloads

• Sundown070317> Contains pcapng and files  in password protected zip.

Notable Details:

• 208.91.198.67 – parcsdelivered.com – Compromised Website
• 217.23.15.183 – jrh.ytmbf.xyz – Sundown Landing Page
• 217.23.15.195 – fbm.ytlyt.xyz – Sundown Payload Download
• Payload was gs01idwh.exe – VirusTotal

Details of infection chain:

(click to enlarge!)

ZeuS Panda C2’s were offline so the infection did not go any further.

Full Details:

• An iframe on the compromised site redirects to Sundown EK.
• The payload was “gs01idwh.exe” which with the help of @Antelox identified it as ZeuS Panda.

• SHA256:	6e5b6e404e25cc24ee339fc3963060560f58135b647129c6726b90dad204ea66
  File name:	gs01idwh.exe
  Detection ratio:	36 / 59

• Since the C2’s were offline, the infection did not proceed. The executable lay idle in processes.

 Summary:

On 2 March a site was tweeted by @St3f4nMZ to myself and two others which claimed to show different Sundown patterns. This actually turned out to be Nebula EK.

By the time I had noticed and gotten around to checking Nebula was gone and Rig EK  seemed to have taken its place.

The payload this time looked very strange. It looked like an information stealer but did not trigger any ET signatures and I could not find similar patterns anywhere in the wild. I ended up tweeting @Antelox who said it was August Stealer. It seemed to be a very unusual payload and was very interesting to watch.

At the time having no idea what I didn’t really know what to look for. By the time it had been identified (today) I had already wiped the machine so could not investigate further. None the less this is an interesting find and I hope you enjoy it. Files and PCAP’s are below.

Background Information:

• A few articles on Rig exploit kit and it’s evolution:

https://www.uperesia.com/analyzing-rig-exploit-kit
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html
http://securityaffairs.co/wordpress/55354/cyber-crime/rig-exploit-kit-cerber.html

• Article on August Stealer:

https://www.proofpoint.com/us/threat-insight/post/august-in-december-new-information-stealer-hits-the-scene

Downloads

• 040317-RigAugust-> Contains pcapng and payload  in password protected zip.

Notable Details:

• 188.215.92.103 – hurtmehard.net – Compromised site 
• 92.53.97.222 – 1rew.neighbourhoodreunion.com – Rig EK
• 91.226.10.138 – POST blog.ru/blog/gate – August Stealer CnC
• Payload was qvzyux09.exe -> VirusTotal

Details of infection chain:

(click to enlarge!)

August stealer posts encrypted data to C2.

Full Details:

• Compromised site has iframe redirecting to Rig EK.
• Site seemed to have two iframes which caused double landing page, etc.
• 1rew.neighbourhoodreunion.com -> Landing Page -> Flash  -> Payload
• There was no Pre-Landing page.
• Dropped payload “qvzyux09.exe” which is different to the usual “rad” themed ones.

• SHA256:	de519cd2ac49e2d608f4785fb2434fbd0075e39ecfd482edab5b60524376cd12
  File name:	qvzyux09.exe
  Detection ratio:	29 / 59

• With the help of @Antelox this was identified as “August stealer”
• I used an article from Proofpoint to confirm that it was or at least this is a variant of August.
• This is a picture from Proofpoint of C2 traffic:
• 
• Note the user agent, cookie and data after the “q=” is very similar to my POST traffic.

Summary:

Looks like Sundown is still alive or perhaps this is now Nebula EK? This is the first time Zloader has actually delivered Zbot on my setup so it was very interesting.

I didn’t see any Stenography but it is there in the landing page.

I’ve been in touch with a Twitter user that knows a lot about Sundown EK and they have provided me with some very useful information which I hope to use to improve my setup.

Background Information on Sundown EK:

Sundown EK has changed so much over the past few months that I’m not sure any article can cover what it is today. Sundown is known to use parts of other exploit kits. It has also been reported that the source code of Sundown has leaked:

https://www.digitalshadows.com/blog-and-research/sun-to-set-on-bepssundown-exploit-kit/

Here is some information on Zloader and Zbot which I used for IOC’s:

https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/

Downloads

• 030617SundownZloader-> Contains pcapng and files  in password protected zip.

Notable Details:

• 50.87.151.234 – seardomaiceu.com – Compromised Website
• 217.23.15.183 – ly.yt1zs.xyz – Sundown Landing Page
• 217.23.15.195 – fbm.yt1zs.xyz – Sundown Payload Download
• 130.211.53.103 – emptysand.ru – Zloader Check In
• 188.138.112.60:1521 – Zbot/ZeuS 
• 37.59.46.159:9001 – Zbot/ZeuS
• 171.25.193.77:443– Zbot/Zeus
• 86.59.119.88:443 – Zbot/ZeuS 
• 134.130.181.43:9001 – Zbot/ZeuS 
• 87.7.18.84:4001 – Zbot/ZeuS 
• 195.154.113.200:443 – Zbot/ZeuS 

Details of infection chain:

(click to enlarge!)

Sundown EK delivers Zloader which then installs Zbot.

Full Details:

• An iframe on the compromised site redirects to Sundown EK.
• The compromised site made little attempt to appear genuine:
• 
• The payload was “63i7my8n.exe” also no longer called “rad” like Rig EK was naming them.

• SHA256:	0e57545e718bdf7b45a5e8f4314a83b79076ddd7300dbcc106aea51b2e2e814f
  File name:	63i7my8n.exe
  Detection ratio:	6 / 59

• The payload was Zloader. It used msi installer to install an application called “tor.exe”. It made the following request:
• POST /Wcvb6tMm/ga43t.php
• This lead to Zbot which then established several connections and created files:
• 
• 
• Stenography in the landing page:
• 
• Below is full list of Emerging Threat signatures:
• ET POLICY TLS possible TOR SSL traffic (A Network Trojan was Detected) [2018789]
  GPL MISC 0 ttl (Misc activity) [2101321]
  ET TROJAN Generic – POST To .php w/Extended ASCII Characters (Likely Zeus Derivative) (A Network Trojan was Detected) [2016858]
  ETPRO CURRENT_EVENTS SunDown EK Landing Jan 27 2017 M5 (A Network Trojan was Detected) [2824677]
  ETPRO TROJAN Win32/Terdot.A / Zloader Checkin (A Network Trojan was Detected) [2809511]
  ET POLICY Reserved Internal IP Traffic (Potentially Bad Traffic) [2002752]
  ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD IE Flash request to set non-standard filename (some overlap with 2021752) (A Network Trojan was Detected) [2022894]
  GPL POLICY TRAFFIC Non-Standard IP protocol (Detection of a Non-Standard Protocol or Event) [2101620]
  ETPRO CURRENT_EVENTS Possible SunDown EK Landing URI Struct Jan 05 2017 (A Network Trojan was Detected) [2824220]
  ET INFO DYNAMIC_DNS Query to *.dyndns. Domain (Misc activity) [2012758]
  ET POLICY Suspicious inbound to Oracle SQL port 1521 (Potentially Bad Traffic) [2010936]
  ETPRO CURRENT_EVENTS SunDown EK Landing Jan 27 2017 M4 (A Network Trojan was Detected) [2824676]
  ET CURRENT_EVENTS Possible WhiteLotus EK 2013-2551 Exploit 3 (A Network Trojan was Detected) [2017738]
  ETPRO CURRENT_EVENTS SunDown EK Landing Jan 27 2017 M1 (A Network Trojan was Detected) [2824673]
  ETPRO CURRENT_EVENTS SunDown EK Landing Jan 27 2017 M6 (A Network Trojan was Detected) [2824678]
  ETPRO CURRENT_EVENTS Possible SunDown/Xer EK Payload Apr 08 M1 (A Network Trojan was Detected) [2819647]
  ET CURRENT_EVENTS Possible WhiteLotus EK 2013-2551 Exploit 2 (A Network Trojan was Detected) [2017737]
  ET CURRENT_EVENTS Possible WhiteLotus EK 2013-2551 Exploit 1 (A Network Trojan was Detected) [2017736]
  ET DNS Standard query response, Name Error (Not Suspicious Traffic) [2001117]
  ETPRO CURRENT_EVENTS SunDown EK Landing Feb 13 2017 10 (A Network Trojan was Detected) [2824908]
  ETPRO CURRENT_EVENTS SunDown EK Flash June 23 2015 M2 (A Network Trojan was Detected) [2811658]
  ET CURRENT_EVENTS Evil Redirector Leading to EK Sep 26 2016 T2 (A Network Trojan was Detected) [2023303]
  ET POLICY Outdated Windows Flash Version IE (Potential Corporate Privacy Violation) [2014726]
  ET POLICY HTTP Request on Unusual Port Possibly Hostile (Potential Corporate Privacy Violation) [2006408]
  ET TROJAN Zeus Bot Connectivity Check (A Network Trojan was Detected) [2011588]
  ET CURRENT_EVENTS SUSPICIOUS Likely Neutrino EK or other EK IE Flash request to DYNDNS set non-standard filename (A Network Trojan was Detected) [2021752]
  ET POLICY External IP Lookup – checkip.dyndns.org (Potential Corporate Privacy Violation) [2021378]
  ETPRO CURRENT_EVENTS SunDown EK Flash June 23 2015 M2 (A Network Trojan was Detected) [2811659]
  ET POLICY DynDNS CheckIp External IP Address Server Response (Potentially Bad Traffic) [2014932]
  ETPRO CURRENT_EVENTS RIG/Sundown/Xer EK Payload Jul 06 2016 M2 (A Network Trojan was Detected) [2820989]

Summary:

I had an idea about tracking campaigns and ended up discovering Sundown EK again. This version appears to be more crude than the one I previously detected. It uses XYZ domain and allowed me to attempt to access the landing page multiple times. I did not see stenography but it is likely still there in the landing page if anyone wants to attempt to decode it.

The payload seemed to fail claiming it was not a valid application. A DLL called shell32.dll was downloaded however and VT detection’s suggests this may have been some sort of ransomware. None the less, it is always interesting to find Sundown EK.

Background Information on Sundown EK:

Sundown EK has changed so much over the past few months that I’m not sure any article can cover what it is today. Sundown is known to use parts of other exploit kits. It has also been reported that the source code of Sundown has leaked:

https://www.digitalshadows.com/blog-and-research/sun-to-set-on-bepssundown-exploit-kit/

Downloads

• sundown010317-> Contains pcapng and files  in password protected zip.

Notable Details:

• 50.87.151.234 – moneytomoneya[.]com – Compromised Website
• 194.88.105.168 – lmo.ylwt[.]xyz – Sundown Landing Page
• Extra domains – fho.ytlyb[.]xyz and kb.ytlyf[.]xyz
• Payload failed to download.

Details of infection chain:

(click to enlarge!)

The payload failed but I was able to access the landing page multiple times which created multiple failed payloads and two extra Sundown domains.

Full Details:

• An iframe on the compromised site redirects to Sundown EK.
• I reloaded the page multiple times and saw 3  Sundown EK domains – lmo.ylwt[.]xyz, fho.ytlyb[.]xyz and kb.ytlyf[.]xyz from top to bottom ->  Landing Page -> Flash 
• The payload seemed to fail but a malicious DLL was dropped. I also put one of the Flash files through Virus Total:

• SHA256:	732116b9d3a8373edeac0f506ec78ce2c6adbb075d2ba8586951f79ec4c4d6ba
  File name:	shell32.dll
  Detection ratio:	14 / 58

• SHA256:	c3049b3592a5768d5af090805caeb628fd37990f1f98af8f1529434c0f0fe16c
  File name:	0E2[1].swf
  Detection ratio:	15 / 55

• Interestingly I had some ET signatures for exploits used by White Lotus EK:
• ET CURRENT_EVENTS Possible WhiteLotus EK 2013-2551 Exploit 3 (A Network Trojan was Detected) [2017738]
  ET CURRENT_EVENTS Possible WhiteLotus EK 2013-2551 Exploit 2 (A Network Trojan was Detected) [2017737]
  ET CURRENT_EVENTS Possible WhiteLotus EK 2013-2551 Exploit 1 (A Network Trojan was Detected) [2017736]