IOCs:
- 93.190.143.82 – cfx.hvb.mobi – Sundown EK
- 93.190.143.82 – hxrheg.fve.mobi – Sundown EK
- Cerber check-in traffic via UDP port 6892:
- 90.2.1.0/27
- 90.3.1.0/27
- 91.239.24.0/23 (CIDR Address Range: 91.239.24.0 – 91.239.25.255)
- 162.220.244.29 – p27dokhpz2n7nvgr.onion – Cerber Decryptor page
- 162.220.244.29 – p27dokhpz2n7nvgr.1kja1j.top – Cerber Decryptor page
- 162.220.244.29 – p27dokhpz2n7nvgr.1dlcbk.top – Cerber Decryptor page
- 162.220.244.29 – p27dokhpz2n7nvgr.15l2ub.top – Cerber Decryptor page
HTTP Method and URIs:
- GET /index.php?uErVBXqo2eo=5yi3Mj-n06JRTyrU0aJPqVnSgpo29BVq_FX5nwdkfgyiksTml74nFDUb
- GET /7/?9643522803
- GET /7/?947545190441&id=265
- GET /7/?78493521
- GET /bvfhjgejhfrg.png
- GET /@@@.php?id=265
Traffic:
Hashes:
SHA256: 85c6e214e0d0c33a001c1096a6e03231ea3b3fbbf4a9afbd58a1230735e2ff73
File name: SundownEK Landing Page.html
SHA256: 0744ba67c5f8210fcdcf4acb328df68780e96d10f2c68b8eddbb9a355bca213e
File name: SundownEK Flash Exploit.swf
SHA256: f4845a817b7b777972ceb292b62103b296a002577884b952e4726e419a7f1df6
File name: SundownEK Flash Exploit 2.swf
SHA256: 67d598c6acbd6545ab24bbd44cedcb825657746923f47473dc40d0d1f122abb6
File name: SundownEK Flash Exploit 3.swf
SHA256: e93f568ecd22e351cc3f0d8f8b3177fa7af812300cbb259a84b80013301a2601
File name: bvfhjgejhfrg.png
SHA256: 40f67e693b44cb973c914fdf8defb3bdc7df852c4f37a0a4344022923ded0aef
File name: OTTYUADAF
SHA256: 0a684fba47e55e140460d2e6ef62c7b6a378b204cc85c1086da8d6e2fa7c28ca
File name: radE76F1.tmp.exe
Hybrid-Analysis Report
Infection Chain:
The infection chain starts off when the user visits the compromised website. Injected in the source code of the page was the EITest script:
The URL within the script shown above redirects the host to a Sundown EK landing page. Below is a partial image of that landing page.
For anyone wanting to see the full text of the landing page you can download the file here: sundownek-landing. The password is the same used by other security researchers. If you need the password send me an email or contact me on Twitter.
I then saw the EK deliver 3 Flash exploits:
I’ve seen some of these Flash exploits before. For example, the first Flash exploit was uploaded to VT on 2016-12-21 13:36:19 UTC and was from RIG-v EK.
We also see the EK retrieve a white PNG image which is used to obtain additional malicious code:
To read more about the steganography technique being used by Sundown see the following TrendMicro blog post http://blog.trendmicro.com/trendlabs-security-intelligence/updated-sundown-exploit-kit-uses-steganography/.
The first file we see being created in %Temp% is a called “OTTYUADAF,” which is script used to download the payload. As a side note, the file hash was identical to one that I first submitted to VT 4 weeks ago (2016-12-22 04:58:45 UTC):
You can also see the Cerber payload being dropped in %Temp% under the name radE76F1.tmp.exe. One folder and two files within that folder are partially named after the machine’s GUID. Following the execution of the executable we see the Cerber check-in traffic via UDP port 6892 (see IOCs above for CIDR ranges).
Below is an image of the Desktop showing it has been changed to display the ransom note, as well as the .hta and .jpg ransom notes being dropped:
The naming convention of the Cerber ransom notes was recently changed to _HELP_HELP_HELP_<random 1-9 A-Z>.hta and .jpg.
As always, block the EK IP and your perimeter firewall(s).
Malware breakdown 