ProMediads now using Sundown-Pirate EK to spread a variety of malware
ProMediads now using Sundown-Pirate EK to spread a variety of malware

A year-old malvertising campaign has helped researchers uncover a new exploit kit (EK) called Sundown-Pirate that is being used to deliver a plethora of malware types.

Trend Micro researchers used the ProMediads, active since 2016, had been using the Rig and Sundown EKs, but had more or less disappeared in February 2017 only to reappear in June. During this burst of activity ProMediads was using Rig, but switched to Sundown-Pirate on June 25, Trend Micro fraud researcher Joseph Chen said, adding it also has expanded well beyond malvertising being linked to ransomware and crypto-currency mining among others.

Chen believes Sundown-Pirate may be a new, privately held EK because it is only being used to deliver ProMediads in a similar fashion as the ShadowGate campaign just used the GreenflashSundown EK.

“Our analysis and monitoring revealed that Sundown-Pirate borrowed code from predecessors Hunter and Terror exploit kits. Its JavaScript obfuscation, however, is similar to Sundown's. This mishmash of scrounged capabilities is what made us think it's new,” Chen said.

The good news is ProMediads only works against Internet Explorer and Flash by utilizing three known and patched IE vulnerabilities and one for Flash. This means the more popular Chrome and Firefox browsers are protected as Flash is disabled by default.

What is new is that ProMediads no longer deals just in malvertising malware. Instead when the malware diverted its victims to Sundown-Pirate the EK would deliver a botnet/info stealer, POS malware, ransomware and even a crypto-currency miner.

“On June 25, for instance, Sundown-Pirate dropped the Trojan SmokeLoader (TROJ_SMOKELOAD.A), which installed the information-stealing botnet infector Zyklon (TSPY_ZYKLON.C). By July 12, the exploit kit's payload changed to point-of-sale (PoS) malware LockPOS. It's a known conspirator of Flokibot's campaigns, another threat that targets point-of-sale/credit card data,” Chen said.

Since this malware only takes advantage of previously patched vulnerabilities, Chen said the best defense is simply making sure a computer system's updates are current.