Not too long ago, we touched upon the fact of how exploit kits have suddenly lost popularity among cyber criminals. As it turns out, there is a new player on the market, which goes by the name of Sundown. Even though Sundown has been around for some time, the developers of this exploit kit have added new exploits and obfuscation techniques to make their offering more appealing
Sundown Exploit Kit Can Become The New Player
It was only a matter of time until exploit kits would surge in popularity again. Even though 2016 has been a rather bad year for EKs, it looks like things are slowly turning around. Sundown, an exploit kit once rated as “second-tier” is gaining a lot of attention from criminals all over the world. Even though the most popular exploit kits have all but disappeared into obscurity, Sundown is one of the few EK’s that successfully remained active over the past year and a half.
One thing is certain: the Sundown developers have injected their exploit kit with a ton of new features. Just a few months ago, security experts labeled the product as “rough around the edges” and “unsophisticated”. However, the new iteration of this exploit kit causes plenty of reason for concern, as it is now classified as a “substantial threat”. A lot can change over the course of a few months, even in the world of cyber crime.
While the Sundown developers have added a lot of new functionality, they also got rid of some useless features. Removing the original identifiers – or most of them, at least – makes the revised Sundown exploit kit virtually impossible to detect. Moreover, the numeric subfolders and filenames, as well as the previous iteration’s file extensions, have all been stripped out of the source code. In a way, one could argue Sundown has gotten a new lease on life and is starting out with a clean slate.
As mentioned earlier, Sundown has received some new tools to make life easier for cyber criminals. In fact, it is one of the very few exploit kits in existence that has been updated with recent exploits, which is what makes it so incredibly dangerous. One of the new exploits revolves around using a recently disclosed vulnerability targeting the Microsoft Edge browser. Additionally, the developers have changed the way Sundown compromises systems, which is perhaps even more concerning.
To be more specific, Sundown deploys its complete collection of malware tools to compromise a target. Although this is anything but a stealthy approach, it goes to show this can be quite an effective method of attack. Moreover, the payload is no longer retrieved through the web browser, but is now using a command-line interface. In addition, the exploit kit makes use of a Windows service to execute VBScript files.
It is evident there are plenty of reasons to be concerned about the new and improved Sundown exploit kit. Considering how the exploit campaign uses domain resellers to collect domain names to host Sundown activity, it is only a matter of time until a global distribution campaign takes place. A power vacuum has been created in the exploit kit landscape, and Sundown is planning to capitalize on its momentum.
If you liked this article, follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin, cryptocurrency, and technology news.