Threat Management, Malware

No honour among thieves: Sundown EK stealing exploits

The Sundown Exploit Kit (EK) has been caught thieving other thieves' property.

Often considered to be of little interest by those on the frontline, Sundown's developers have started to get their act together.  Researchers at Trustwave detailed the EK's practice of stealing other kits' exploits and incorporating them into itself.

The once-marginal EK is perhaps not yet on the level of the dear-departed Angler or the newly prominent Neutrino or RIG EKs that have risen to take Angler's place, but it's certainly improving.

When the EK first arrived on the scene, it was talked about in a tone that approaches pity, more than concern. One blogger started his introduction to the EK with “There is nothing worth a post there”, before referring to it not as a kit, but rather a ‘kit'.

Trustwave sketches out two ways in which Sundown has begun to do this.

Firstly, it has outsourced much to something called the “Yugoslavian Business Network”. Secondly, it has started using other people's exploits within the kit.

Trustwave researchers found four pilfered exploits within the kit. One stolen from the late, great Angler EK, another stolen from RIG, another from Hacking Team and a Flash exploit from the Magnitude EK.

This is perhaps to be expected said Chris Boyd, malware intelligence analyst at Malwarebytes.

He told that, “Malware authors regularly pillage one another's code, especially in amateur circles, and it's a case of going with whatever works - in this case, ripping code at significantly cheaper cost than building something from the ground up."

He added, “Smaller groups may not be able to compete with the professionals, but there's nothing stopping them from using them as stepping stones to a bigger piece of the financial pie. While smaller groups are effectively nibbling at the heels of the larger hacking teams, their activities are likely too low level to prove to be any sort of nuisance to the pros - they'll keep on producing high level exploits either way."

Sundown's thefts might be working, too. According to Trustwave, there is a general uptick in Sundown traffic.

However, a security researcher for the SpiderLabs team at Trustwave told SC that this may just as well be a response to interventions in the EK market: “The disappearance of both Angler and Nuclear EKs left a big chunk of the market looking into other options so we've seen an overall increase of traffic in all the exploit kits that remain active. I wouldn't say that Sundown has increased more significantly than other EKs so I wouldn't necessarily attribute the increase to these particular changes.”

There's certainly not a lot of honour among cyber-thieves, especially as more and more competition jumps in to get a slice of the pie”, Ben Johnson, chief security strategist for Carbon Black told SC.

“They only get paid if they're successful, and with buyers of toolkits able to easily compare what works and what doesn't, it forces the seller of the product (the exploit kit maker) to try to stay cutting edge. If that means stealing then so be it.”

However, concluded Johnson, “The final thing is just because exploits appear in multiple kits does not mean it is straight up stolen. While there will always be cases of criminal against criminal battles, sometimes the same cyber-weapon can be repackaged and utilised by different groups or for different purposes, much like legitimate products might be sold at different price points in different regions or in different verticals.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.