I had an idea about tracking campaigns and ended up discovering Sundown EK again. This version appears to be more crude than the one I previously detected. It uses XYZ domain and allowed me to attempt to access the landing page multiple times. I did not see stenography but it is likely still there in the landing page if anyone wants to attempt to decode it.
The payload seemed to fail claiming it was not a valid application. A DLL called shell32.dll was downloaded however and VT detection’s suggests this may have been some sort of ransomware. None the less, it is always interesting to find Sundown EK.
Background Information on Sundown EK:
Sundown EK has changed so much over the past few months that I’m not sure any article can cover what it is today. Sundown is known to use parts of other exploit kits. It has also been reported that the source code of Sundown has leaked:
- sundown010317-> Contains pcapng and files in password protected zip.
- 126.96.36.199 – moneytomoneya[.]com – Compromised Website
- 188.8.131.52 – lmo.ylwt[.]xyz – Sundown Landing Page
- Extra domains – fho.ytlyb[.]xyz and kb.ytlyf[.]xyz
- Payload failed to download.
Details of infection chain:
(click to enlarge!)
- An iframe on the compromised site redirects to Sundown EK.
- I reloaded the page multiple times and saw 3 Sundown EK domains – lmo.ylwt[.]xyz, fho.ytlyb[.]xyz and kb.ytlyf[.]xyz from top to bottom -> Landing Page -> Flash
- The payload seemed to fail but a malicious DLL was dropped. I also put one of the Flash files through Virus Total:
SHA256: 732116b9d3a8373edeac0f506ec78ce2c6adbb075d2ba8586951f79ec4c4d6ba File name: shell32.dll Detection ratio: 14 / 58
SHA256: c3049b3592a5768d5af090805caeb628fd37990f1f98af8f1529434c0f0fe16c File name: 0E2.swf Detection ratio: 15 / 55
- Interestingly I had some ET signatures for exploits used by White Lotus EK:
- ET CURRENT_EVENTS Possible WhiteLotus EK 2013-2551 Exploit 3 (A Network Trojan was Detected) 
ET CURRENT_EVENTS Possible WhiteLotus EK 2013-2551 Exploit 2 (A Network Trojan was Detected) 
ET CURRENT_EVENTS Possible WhiteLotus EK 2013-2551 Exploit 1 (A Network Trojan was Detected)