Updated Sundown Exploit Kit Uses Steganography

This year has seen a big shift in the exploit kit landscape, with many of the bigger players unexpectedly dropping out of action. The Nuclear exploit kit operations started dwindling in May, Angler disappeared around the same time Russia’s Federal Security Service made nearly 50 arrests last June, and then in September Neutrino reportedly went private and shifted focus to select clientele only. Now, the most prominent exploit kits in circulation are RIG and Sundown. Both gained prominence shortly after Neutrino dropped out of active circulation.

Sundown is something of an outlier from typical exploit kits. It tends to reuse old exploits and doesn’t make an effort to disguise their activity. The URLs for Sundown requests for Flash files end in .swf, while Silverlight requests end in .xap. These are the normal extensions for these file types. Typically, other exploit kits make an effort to hide their exploits. In addition, Sundown doesn’t have the anti-crawling feature used by other exploit kits.

Recent use of Sundown/RIG

Sundown and RIG were both in the spotlight last September when a malvertising campaign was found to be distributing the CryLocker ransomware through both exploit kits. Researchers first detected RIG pushing this ransomware as its payload on September 1, Sundown started doing so on September 5. CryLocker was unique in that it used Portable Network Graphic (PNG) files to package the information stolen from the infected system. The PNG file was then uploaded into an Imgur album, where ransomware operators could access it easily but also evade detection.

The developers of this particular malware gave their files a valid PNG header, but no image. The file only had the system information as ASCII strings. This makes it distinct from steganography, which hides secret messages, files, or information in an image.

Steganography Techniques used by Exploit Kits

Steganography is an advanced technique used to hide malicious code into an image to prevent signature based detection. It’s quite popular and has been used in several malvertising and exploit kit attacks. Earlier this year, the massive GooNky malvertising campaign used multiple techniques to hide their malvertising traffic, including moving part of malicious code into images to prevent detection. However, here the attackers didn’t really “hide” the data in the picture itself – they merely appended their malicious code at the end of the file.

In a more advanced case, Trend Micro researchers worked with colleagues across the security community to dive into the steganography tactics used in the AdGholas malvertising campaign and its associated Astrum exploit kit. The campaign encoded a script into an image’s alpha channel, which defines the transparency of the pixels. The minor modification allows the malware designer to mimic a legitimate ad, with only a slight difference in color. This makes it more difficult for these malicious ads to be spotted and analyzed.

On December 27, 2016, we noticed that Sundown was updated to use similar techniques. The PNG files weren’t just used to store harvested information; the malware designers now used steganography to hide their exploit code.

The newly updated exploit kit was used by multiple malvertising campaigns to distribute malware. The most affected countries were Japan, Canada, and France, though Japanese users accounted for more than 30% of the total targets.

Figure 1. Distribution of the Sundown exploit kit targets from December 21 to 27

As we noted earlier, previous Sundown versions directly connected victims to the Flash exploit file on their landing page. In this updated version, the exploit kit’s malvertisement creates a hidden iframe that automatically connects to the Sundown landing page. The page will retrieve and download a white PNG image. It then decodes the data in this PNG file to obtain additional malicious code:

Figure 2. Steganography used in Sundown exploit kit infection chain (Click to enlarge)

Upon further analysis of the exploit code inside the PNG image, we found that it included the exploit code targeting CVE-2015-2419, a vulnerability in the JScript handling of Internet Explorer. A Flash exploit for CVE-2016-4117 is also retrieved by the exploit code. The landing page itself includes an exploit targeting another Internet Explorer (IE) vulnerability, CVE-2016-0189. All of these exploits have been patched and have been used by other exploit kits this the past year.

Figure 3. JavaScript Code inside landing page to decode the PNG file

The malware dropped by Sundown here is the Chthonic banking Trojan (detected by Trend Micro as TSPY_CHTHONIC.A). Chthonic is a variant of the Zeus malware that was used in a PayPal scam last July.

The Sundown exploit kit exploits vulnerabilities in Adobe Flash and JavaScript, among others. Trend Micro protects users against this threat. The existing Sandbox with Script Analyzer engine, which is part of Trend Micro™ Deep Discovery, can be used to detect this threat by its behavior without any engine or pattern updates. The Browser Exploit Prevention feature on endpoint products such as Trend Micro™ Security, Smart Protection Suites, and Worry-Free Business Security blocks the exploit once the user accesses the URL it is hosted in. Browser Exploit Prevention protects against exploits that target browsers or related plugins.

Indicators of Compromise

The following domains were used by the Sundown Exploit kit with the matching IP addresses:

xbs.q30.biz (188.165.163.228)
cjf.0340.mobi (93.190.143.211)

The Chthonic sample has the following SHA1 hash:

c2cd9ea5ad1061fc33adf9df68eeed6a1883c5f9

The sample also used the following C&C server:

pationare.bit