Sundown EK delivers failed payload.

/ zerophage

Summary:

I had an idea about tracking campaigns and ended up discovering Sundown EK again. This version appears to be more crude than the one I previously detected. It uses XYZ domain and allowed me to attempt to access the landing page multiple times. I did not see stenography but it is likely still there in the landing page if anyone wants to attempt to decode it.

The payload seemed to fail claiming it was not a valid application. A DLL called shell32.dll was downloaded however and VT detection’s suggests this may have been some sort of ransomware. None the less, it is always interesting to find Sundown EK.

Background Information on Sundown EK:

Sundown EK has changed so much over the past few months that I’m not sure any article can cover what it is today. Sundown is known to use parts of other exploit kits. It has also been reported that the source code of Sundown has leaked:

https://www.digitalshadows.com/blog-and-research/sun-to-set-on-bepssundown-exploit-kit/

Downloads

  • sundown010317-> Contains pcapng and files  in password protected zip.

Notable Details:

  • 50.87.151.234 – moneytomoneya[.]com – Compromised Website
  • 194.88.105.168 – lmo.ylwt[.]xyz – Sundown Landing Page
  • Extra domains – fho.ytlyb[.]xyz and kb.ytlyf[.]xyz
  • Payload failed to download.

Details of infection chain:

(click to enlarge!)

sundownfail

The payload failed but I was able to access the landing page multiple times which created multiple failed payloads and two extra Sundown domains.

Full Details:

  • An iframe on the compromised site redirects to Sundown EK.
  • I reloaded the page multiple times and saw 3  Sundown EK domains – lmo.ylwt[.]xyz, fho.ytlyb[.]xyz and kb.ytlyf[.]xyz from top to bottom ->  Landing Page -> Flash 
  • The payload seemed to fail but a malicious DLL was dropped. I also put one of the Flash files through Virus Total:
  • SHA256: 732116b9d3a8373edeac0f506ec78ce2c6adbb075d2ba8586951f79ec4c4d6ba
    File name: shell32.dll
    Detection ratio: 14 / 58
  • SHA256: c3049b3592a5768d5af090805caeb628fd37990f1f98af8f1529434c0f0fe16c
    File name: 0E2[1].swf
    Detection ratio: 15 / 55
  • Interestingly I had some ET signatures for exploits used by White Lotus EK:
  • ET CURRENT_EVENTS Possible WhiteLotus EK 2013-2551 Exploit 3 (A Network Trojan was Detected) [2017738]
    ET CURRENT_EVENTS Possible WhiteLotus EK 2013-2551 Exploit 2 (A Network Trojan was Detected) [2017737]
    ET CURRENT_EVENTS Possible WhiteLotus EK 2013-2551 Exploit 1 (A Network Trojan was Detected) [2017736]

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s