{ "Event": { "analysis": "2", "date": "2016-12-29", "extends_uuid": "", "info": "OSINT - Updated Sundown Exploit Kit Uses Steganography", "publish_timestamp": "1483646629", "published": true, "threat_level_id": "3", "timestamp": "1483646568", "uuid": "586cb1ff-6bcc-4029-88b0-4fa9950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" }, { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" }, { "colour": "#001cad", "local": false, "name": "estimative-language:likelihood-probability=\"very-likely\"", "relationship_type": "" }, { "colour": "#0fc000", "local": false, "name": "admiralty-scale:information-credibility=\"2\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:tool=\"Chthonic\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:exploit-kit=\"Sundown\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1483518477", "to_ids": false, "type": "link", "uuid": "586cb20d-8ac8-4caf-a052-4631950d210f", "value": "http://blog.trendmicro.com/trendlabs-security-intelligence/updated-sundown-exploit-kit-uses-steganography/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1483518499", "to_ids": false, "type": "comment", "uuid": "586cb223-931c-421a-aea1-4147950d210f", "value": "2016 saw a big shift in the exploit kit landscape, with many of the bigger players unexpectedly dropping out of action. The Nuclear exploit kit operations started dwindling in May, Angler disappeared around the same time Russia\u00e2\u20ac\u2122s Federal Security Service made nearly 50 arrests last June, and then Neutrino reportedly went private and shifted to focus on select clientele in September. RIG and Sundown are now the most prominent exploit kits in circulation, gaining prominence shortly after Neutrino dropped out of active circulation.\r\n\r\nSundown is something of an outlier from typical exploit kits. It tends to reuse old exploits and doesn\u00e2\u20ac\u2122t make an effort to disguise their activity. The URLs for Sundown requests for Flash files end in .swf, while Silverlight requests end in .xap. These are the normal extensions for these file types. Typically, other exploit kits make an effort to hide their exploits. In addition, Sundown doesn\u00e2\u20ac\u2122t have the anti-crawling feature used by other exploit kits.\r\n\r\nRecent use of Sundown/RIG\r\n\r\nSundown and RIG were both in the spotlight last September when a malvertising campaign was found to be distributing the CryLocker ransomware through the two exploit kits. Researchers first detected RIG pushing this ransomware as its payload on September 1, while Sundown started doing so on September 5. CryLocker was unique in that it used Portable Network Graphic (PNG) files to package the information stolen from the infected system. The PNG file was then uploaded to an Imgur album, where ransomware operators could access it easily while evading detection.\r\n\r\nThe developers of this particular malware gave their files a valid PNG header, but no image. The file only had the system information as ASCII strings. This makes it distinct from steganography, which hides secret messages, files, or information in an image.\r\n\r\nSteganography Techniques used by Exploit Kits\r\n\r\nSteganography is an advanced technique used to hide malicious code in an image to prevent signature based detection. It\u00e2\u20ac\u2122s quite popular and has been used in several malvertising and exploit kit attacks. Earlier this year, the massive GooNky malvertising campaign used multiple techniques to hide their malvertising traffic, including moving part of malicious code into images to prevent detection. However, here the attackers didn\u00e2\u20ac\u2122t really \u00e2\u20ac\u0153hide\u00e2\u20ac\u009d the data in the picture itself \u00e2\u20ac\u201c they merely appended their malicious code at the end of the file.\r\n\r\nIn a more advanced case, Trend Micro researchers worked with colleagues in the security community to look into the steganography tactics used in the AdGholas malvertising campaign and its associated Astrum exploit kit. The campaign encoded a script into an image\u00e2\u20ac\u2122s alpha channel, which defines the transparency of the pixels. The minor modification allows the malware designer to mimic a legitimate ad, with only a slight difference in color. This makes it more difficult for these malicious ads to be spotted and analyzed.\r\n\r\nOn December 27, 2016, we noticed that Sundown was updated to use similar techniques. The PNG files weren\u00e2\u20ac\u2122t just used to store harvested information; the malware designers now used steganography to hide their exploit code." }, { "category": "Network activity", "comment": "The following domains were used by the Sundown Exploit kit with the matching IP addresses:", "deleted": false, "disable_correlation": false, "timestamp": "1483518532", "to_ids": true, "type": "hostname", "uuid": "586cb244-2438-415e-898b-4f54950d210f", "value": "xbs.q30.biz" }, { "category": "Network activity", "comment": "The following domains were used by the Sundown Exploit kit with the matching IP addresses:", "deleted": false, "disable_correlation": false, "timestamp": "1483518533", "to_ids": true, "type": "ip-dst", "uuid": "586cb245-5778-45ca-91fd-4b1a950d210f", "value": "188.165.163.228" }, { "category": "Network activity", "comment": "The following domains were used by the Sundown Exploit kit with the matching IP addresses:", "deleted": false, "disable_correlation": false, "timestamp": "1483518534", "to_ids": true, "type": "hostname", "uuid": "586cb246-7490-4c5c-b121-4630950d210f", "value": "cjf.0340.mobi" }, { "category": "Network activity", "comment": "The following domains were used by the Sundown Exploit kit with the matching IP addresses:", "deleted": false, "disable_correlation": false, "timestamp": "1483518534", "to_ids": true, "type": "ip-dst", "uuid": "586cb246-e558-48de-868d-4051950d210f", "value": "93.190.143.211" }, { "category": "Payload delivery", "comment": "The Chthonic sample has the following hash", "deleted": false, "disable_correlation": false, "timestamp": "1483518567", "to_ids": true, "type": "sha1", "uuid": "586cb267-5c88-4c3f-be09-40cb950d210f", "value": "c2cd9ea5ad1061fc33adf9df68eeed6a1883c5f9" }, { "category": "Payload delivery", "comment": "The sample also used the following C&C server:", "deleted": false, "disable_correlation": false, "timestamp": "1483518593", "to_ids": true, "type": "filename", "uuid": "586cb281-7b1c-441f-98a9-4baf950d210f", "value": "pationare.bit" }, { "category": "Payload delivery", "comment": "The Chthonic sample has the following hash - Xchecked via VT: c2cd9ea5ad1061fc33adf9df68eeed6a1883c5f9", "deleted": false, "disable_correlation": false, "timestamp": "1483518636", "to_ids": true, "type": "sha256", "uuid": "586cb2ac-4808-4fee-9a32-474102de0b81", "value": "9581b02cbe553b7ca436b138d9df012d9712e81b554dbe620f1bf1bffdc09219" }, { "category": "Payload delivery", "comment": "The Chthonic sample has the following hash - Xchecked via VT: c2cd9ea5ad1061fc33adf9df68eeed6a1883c5f9", "deleted": false, "disable_correlation": false, "timestamp": "1483518636", "to_ids": true, "type": "md5", "uuid": "586cb2ac-4abc-425a-a997-4e0f02de0b81", "value": "9ebaf6efce9f198fa01f04e8535952ce" }, { "category": "External analysis", "comment": "The Chthonic sample has the following hash - Xchecked via VT: c2cd9ea5ad1061fc33adf9df68eeed6a1883c5f9", "deleted": false, "disable_correlation": false, "timestamp": "1483518637", "to_ids": false, "type": "link", "uuid": "586cb2ad-9628-46b3-9034-44bf02de0b81", "value": "https://www.virustotal.com/file/9581b02cbe553b7ca436b138d9df012d9712e81b554dbe620f1bf1bffdc09219/analysis/1483176386/" } ] } }