2015-06-08 - Landscape

Fast look at Sundown EK

Sun Down - Top Gun

Disclaimer : There is nothing worth a post there...except mentionning this EK is around.
I would put that "kit" in the same sad basket than Archie (same level, same kind of traffic source)

The exploit kit is out there since middle of April. I first heard about it by Will Metcalf from Emerging Threats.

Studying the TDS in front of it we concluded that this specific thread was focused on Japan, hence the name Will Metcalf decided to give. Please note that obviously this was only one thread and many are focused on other country or are even not delivery path "geo-locked".

TL:DNR
----
It has code to exploit :
CVE-2013-7331CVE-2014-6332, CVE-2014-0569, CVE-2014-0556, CVE-2015-0311, CVE-2015-0313 , uses vbe
Powershell and IE dependant.
No decision tree : carpet bombing.
No locking feature yet (IP/Geo...etc - has to be done in front of it)
----
In one image :

Sundown EK
2015-06-08
----------------
GET http://dessawert.co .vu/?9a91fd589e97ce5c007615a4de72a74d7e8ffd
200 OK (text/html) Landing in Carpet bombing mode.

Sundown Landing - 2015-06-08

GET http://dessawert.co .vu/SDDS2/asddfs.php
200 OK (text/html)

GET http://dessawert.co .vu/JKHFLKJDGHBRKLJFGDBJHRFDGTBERHJKTERBHJ3/665h311.swf
200 OK (application/x-shockwave-flash) 9c58582d688b228f7e6aa7c81977fe39 CVE-2015-0311

GET http://dessawert.co .vu/JKHFLKJDGHBRKLJFGDBJHRFDGTBERHJKTERBHJ3/es6L313.swf
200 OK (application/x-shockwave-flash) dfa724814e82af648737e8bb59dd76d8 CVE-2015-0313

GET http://dessawert.co .vu/JKHFLKJDGHBRKLJFGDBJHRFDGTBERHJKTERBHJ3/asdt17.swf
200 OK (application/x-shockwave-flash) 8ae899555cd88b89e4762fb5653d1633 CVE-2014-0569

GET http://dessawert.co .vu/JKHFLKJDGHBRKLJFGDBJHRFDGTBERHJKTERBHJ3/street1.php
200 OK (text/html)

GET http://dessawert.co .vu/JKHFLKJDGHBRKLJFGDBJHRFDGTBERHJKTERBHJ3/5Z9T14.swf
200 OK (application/x-shockwave-flash) 37f0844c742e8ecd32cdfbaa290fed61 CVE-2014-0556

GET http://dessawert.co .vu/JKHFLKJDGHBRKLJFGDBJHRFDGTBERHJKTERBHJ3/street2.php
200 OK (text/html) CVE-2013-7331 and Wscript ActiveX


CVE-2013-7331 once decoded


GET http://dessawert.co .vu/JKHFLKJDGHBRKLJFGDBJHRFDGTBERHJKTERBHJ3/street3.php
200 OK (text/html)  Wscript ActiveX

GET http://dessawert.co .vu/JKHFLKJDGHBRKLJFGDBJHRFDGTBERHJKTERBHJ3/street4.php
200 OK (text/html)  CVE-2014-6332

GET http://msiurgfhjrlsuhgfrslihkj.co .vu/SDDS2/d.php?d=EDWEDRFEDDF-3.exe
200 OK (Application/octet-stream) e0c925d1a0c5c7022bfb00ab8b63628e Payload

GET http://dessawert.co .vu/url.php
200 OK (text/html)
----------------
Note : you can use : ayra.ch VBScript encoder and decoder to decode those :
#@~^XXXXXX== [Stuff] ==^#~@
Login Screen :

Sundown - Customer login Screen


Sundown - Panel
NB : the panel shown here is not tied to the traffic studied.
the screenshots are 1 monh older than the traffic analysed


Files : Fiddler and Piece of code.
Thanks :  Will Metcalf and Fox-IT for inputs/intel

Post Publication Reading :
Beta exploit pack: one more piece of crimeware for the infection road! - 2015-06-18 - Aditya K. Sood & Rohit Bansal - VirusBulletin