A new variant of the Sundown exploit kit leverages on steganography to hide exploit code in harmless-looking image files.

Security experts from Trend Micro have spotted a new version of the Sundown exploit kit that exploits steganography in order to hide malicious code in harmless-looking image files.

The use of steganography was recently observed in the malvertising campaigns conducted by the AdGholas and GooNky groups.

The GooNky group leveraged on steganography to hide malvertising traffic, while AdGholas has used a more sophisticated technique leveraging the Stegano exploit kit.

Crooks encoded a script in the alpha channel of an image to deliver the malicious code via rogue ads that looked like legitimate.

Earlier in December, researchers from ESET discovered that Stegano hide portions of its malicious code in parameters controlling the transparency of pixels used to display banner ads, but the impact of the appearance of the images is almost imperceptible.

“The malicious version of the graphic has a script encoded in its alpha channel, which defines the transparency of each pixel. Since the modification is minor, the final picture’s color tone is only slightly different to that of the clean version” reads the analysis published by ESET.

A similar technique has been observed for a new version of the Sundown EK spotted by the researchers at Trend Micro on December 27.

“On December 27, 2016, we noticed that Sundown was updated to use similar techniques. The PNG files weren’t just used to store harvested information; the malware designers now used steganography to hide their exploit code.” reads the analysis published by Trend Micro.

The updated version of Sundown has been used in several malvertising campaigns, mostly targeting users in Japan, Canada, France and the US.

“The newly updated exploit kit was used by multiple malvertising campaigns to distribute malware. The most affected countries were Japan, Canada, and France, though Japanese users accounted for more than 30% of the total targets.”

sundown 

The new Sundown EK leverages on hidden iframes that automatically connects to a page hosting the Sundown EK. The page downloads a white PNG image and decodes malicious code it contains.

“In this updated version, the exploit kit’s malvertisement creates a hidden iframe that automatically connects to the Sundown landing page,” continues the post.“The page will retrieve and download a white PNG image. It then decodes the data in this PNG file to obtain additional malicious code.”

Researchers from Trend Micro leveraged on malicious code to trigger Internet Explorer flaws CVE-2015-2419 and CVE-2016-0189, and the Flash Player flaw tracked as CVE-2016-4117.

The researchers observed threat actors leveraging on the Sundown EK to deliver the Chthonic banking Trojan, a variant of the infamous Zeus malware, that was used by crooks in a PayPal scam in July.

The Sundown EK ranks today at the second place, behind RIG EK that is the most used crimeware kit in the criminal ecosystem.

According to security experts from Cisco Talos, threat actors behind the Sundown exploit kit leverage on an infrastructure composed of 80,000 malicious subdomains associated with more than 500 domains.

The experts observed that crooks behind the Sundown EK are using wildcards for subdomains which are exponentially growing the number of routes for malicious traffic to servers hosting the dreaded EK.

Pierluigi Paganini

[adrotate banner=”22″]