Sundown Exploit Kit Ill-Treating IE Vulnerability - Symantec

Symantec, a security firm, has discovered that the Sundown EK (exploit kit) has started to leverage a recent Internet Explorer (IE) flaw, CVE-2015-2444. EK has been the first to incorporate an exploit for the bug and employed it in a fresh watering-hole attack on Japan.

The public got to see the CVE-2015-2444 first time on 12th August, 2015. Microsoft updated the security by patching this bug.

Security researchers of Symantec noted that attackers are using Sundown to exploit this flaw in attacks and drop a backdoor Trojan on systems mainly affecting Internauts in Japan. The cybercriminals inserted an iframe into a genuine site redirecting Internauts to an extremely confused landing page which possessed the Sundown exploit kit.

When users landed on the page, the exploit kit checked the system for driver files related to specific security software, prohibited application environments and traffic-capturing tools. The EK would not drop exploits if any of these products were present with the intention of evading detection.

The exploit kit tried to exploit flaws in various software after checking for suitable conditions. If the kit was able to exploit any flaws, it dropped Trojan.Nancrat onto the computer of the victim. The Trojan acts as backdoor and steals data from the compromised system.

Interestingly, researchers of Proofpoint also detected Sundown in late June 2015, which it described as somewhat a new exploit, dropping an unfamiliar remote access Trojan (RAT) which proves that the market for these capabilities remains strong enough to attract new exploit kits into the market despite more pressure from law enforcement and the domination by a small number of high profile exploit kits.

Computerweekly.com published news on 13th August, 2015 quoting a report as "As new exploit kits try to establish a foothold and expect attackers to look for new ways to leverage the flexibility and power of this piece of toolkit of the cyber criminal."

Customers should have updated antivirus and IPS (Intrusion Prevention Signatures) signatures installed on their systems to minimize the chances of getting victimized by the Sundown exploit kit. Users should ensure that they update their software on regular basis to stop attackers from exploiting known vulnerabilities.

» SPAMfighter News - 9/3/2015