The new EK, dubbed Bizarro Sundown, was seen spreading a first version of the malware on Oct. 5 and a second on Oct. 19, according to a post from Trend Micro threat analysts Brooks Li and Joseph C. Chen.
Bizarro Sundown clones a number of attributes from its Sundown predecessor, but adds in anti-analysis features, the researchers found. Further, the second attack altered its URL format to dupe recipients into believing they were landing on legitimate web ads. Both versions, the researchers claim, were used exclusively by the ShadowGate/WordsJS campaign.
The industries and locations of legitimate websites that were compromised by this attack. There are 13 countries represented and about 27 different overall industries.
One interesting aspect of ShadowGate's campaign the researchers noted was an absence of attacks on weekends, with most victims in Taiwan and Korea.
According to Trend Micro, the first iteration of Bizarro Sundown went after a memory corruption vulnerability in Internet Explorer (CVE-2016-0189) and two security vulnerabilities in Flash: a use-after-free vulnerability (CVE-2015-5119) and an out-of-bound read bug (CVE-2016-4117), both since patched.
The change detected was Bizarro Sundown's obfuscation of its landing pages and the addition of anti-crawling functionality, intended to thwart automated crawlers used by researchers and analysts.
For the version noted Oct. 19, the researchers observed a change to its redirection chain that rendered URLs closer to normal advertising traffic. "It can now be integrated more directly into ShadowGate's new redirection method, which used to rely on scripts to route potential victims to malicious servers." The malware uses a malicious Flash (.SWF) file to achieve this, the report found.
As is typical to mitigate such attacks, the researchers stress a solid backup strategy as a good defense against ransomware, while the addition of patch management bolsters security at the device's perimeter. Further, maintaing updates on the operating system and software helps fend off exploits targeting flaws already patched by vendors.
Photo courtesy of Trend Micro