Researchers at MalwareBytes Labs have found what they consider an "atypical" iteration of the Sundown exploit kit (EK) in the wild.
On examination of the malicious payloads, the researchers detected a serving infrastructure that is different from any they saw before, though a previously examined Sundown EK shares the same Flash exploit. As well, the infrastructure for delivering this EK is dependent on domains all hosted on the same IP address, plus the payload URL (pastetext.biz) has been previously linked to the same EK distributor. The researchers – @hasherezade and Jérôme Segura – surmised this points to a single actor behind the editions.
Tracing strings referenced by the binary, the researchers determined that the tool is meant for mining cryptocurrency, but not the usual Bitcoin. Rather, upon detecting the author's Pastebin account and uncovering the user's name, "LoveMonero," the researchers posit that the new application is intended to grab Monero, a cryptocurrency created in April 2014 that saw a spike in usage in 2016 as an alternative protocol to the more widely used, and targeted, Bitcoin.
"This campaign looks strange to us due to the fact that it has been prepared in an extremely careless way," the authors stated. "There were a lot of traces stored in the application as well as the Github profile."
They conclude that the campaign is likely the work of novices attempting to work off an open source tool – ccminer-cryptonight – used for mining cryptocurrencies..