Copy-Pasting Sundown Exploit Kit Has Been Offline for More Than a Month

Share this…

King of copy-paste exploits, the Sundown exploit kit, has been offline since March 8, and this also includes most of its variations, according to security researcher Kaffeine and Jérôme Segura of Malwarebytes.

While exploit kit operators have taken vacations in the past, they never lasted this long, and these were usually during the winter holidays or the summer months.

It is highly likely that we’ve seen the last of the Sundown exploit kit, which appeared on the market in June 2015, but has remained a small-time player until the summer of 2016.

Sundown was an accidental success

Its rise was favored by the shutdowns of the Angler and Nuclear exploit kits, and the Neutrino exploit kit voluntarily entering a private mode, with a smaller number of clients.

All of the above were professionally-coded exploit kits, which are web-based applications that automate the process of exploiting browser and OS vulnerabilities and installing malware on the computers of users.

On the other hand, Sundown was known since its birth only for using old or copy-pasted exploit packages, usually from the bigger market players.

Exploit kits, which are usually rented on the cyber-criminal underground, work based on the trust buyers and EK operators have in each other.

Because of its copy-pasting practices, very few crooks trusted Sundown and its creators, a group known as the Yugoslav Business Network (YBN).

Sundown EK ad on a German-speaking underground hacking forum
Sundown EK ad on a German-speaking underground hacking forum [Source: Zscaler]

Sundown – the king of copy-pasted exploits

After the disappearances of Angler, Nuclear, and Neutrino, Sundown rose through the ranks because there were very few exploit kits left alive and kicking during the summer and autumn of 2016.

While RIG established itself as the de-facto leader on the exploit kit market, the Magnitude exploit kit remained a private toolkit, exclusively used by one group. This left the door open for YBN, who heavily invested in expanding its exploit arsenal over the summer.

As usual, the group wasn’t either creative of technically talented, and simply stole what it could from its competitors, past EKs, and publicly available exploit code, as reports from Trustwave and Zscaler pointed out last fall.

Sundown was going through changes before it disappeared

Since then, several variations of the Sundown exploit kit have appeared, such as Bizarro, Greenflash, Nebula, and Terror, all trying to capitalize on Sundown’s popularity, just like Sundown capitalized from previous EKs.

According to a Cisco Talos report from late March, right before it stopped all activity from known servers, the original Sundown exploit kit had suffered heavy modifications, such as better operational security, the removal of any YBN mentions, and changes to the way it delivered its payloads.

Furthermore, after Cisco and GoDaddy had been hounding its operators with domain takedowns, Sundown started migrating to a new registrar.

Sundown’s fate unsure

After activity from the classic Sundown variant had stopped out of the blue, all we can do is speculate on what happened.

For starters, we cannot say Sundown morphed into a new version, mainly because the exploit kit left too many clues behind for security researchers not to recognize it if it came back, even under a different brand.

We also cannot say that Sundown rebranded as the Terror EK, as Trustwave already proved this was a different exploit kit, based on Sundown, but marketed by a user going by the name of 666_KingCobra, and not by YBN.

Furthermore, while Sundown and the Bizarro, Greenflash, and Nebula variants have gone silent, Terror continued to be available on underground forums, even rebranding a few times as Blaze, Neptune, or Eris. This reinforces the theory that Sundown and Terror’s maintainers aren’t connected.

We’ll probably have to wait a few more months before we find out what happened with Sundown. When Angler and Nuclear disappeared off the market, it usually took two-three months before researchers discovered what truly happened.

Exploit kit market is a barren place right now

In the meantime, the exploit kit market, which has close ties with spam and malvertising operators, is populated by exploit kits such as RIG, RIG-v, Terror, KaiXin and the closed-circuit Magnitude and Neutrino.

Another exploit kit that appeared and died in the past few months includes RIG-E, also known as the Empire exploit kit.