- 18.104.22.168 – cfx.hvb.mobi – Sundown EK
- 22.214.171.124 – hxrheg.fve.mobi – Sundown EK
- Cerber check-in traffic via UDP port 6892:
- 126.96.36.199/23 (CIDR Address Range: 188.8.131.52 – 184.108.40.206)
- 220.127.116.11 – p27dokhpz2n7nvgr.onion – Cerber Decryptor page
- 18.104.22.168 – p27dokhpz2n7nvgr.1kja1j.top – Cerber Decryptor page
- 22.214.171.124 – p27dokhpz2n7nvgr.1dlcbk.top – Cerber Decryptor page
- 126.96.36.199 – p27dokhpz2n7nvgr.15l2ub.top – Cerber Decryptor page
HTTP Method and URIs:
- GET /index.php?uErVBXqo2eo=5yi3Mj-n06JRTyrU0aJPqVnSgpo29BVq_FX5nwdkfgyiksTml74nFDUb
- GET /7/?9643522803
- GET /7/?947545190441&id=265
- GET /7/?78493521
- GET /bvfhjgejhfrg.png
- GET /@@@.php?id=265
File name: SundownEK Landing Page.html
File name: SundownEK Flash Exploit.swf
File name: SundownEK Flash Exploit 2.swf
File name: SundownEK Flash Exploit 3.swf
File name: bvfhjgejhfrg.png
File name: OTTYUADAF
File name: radE76F1.tmp.exe
The infection chain starts off when the user visits the compromised website. Injected in the source code of the page was the EITest script:
The URL within the script shown above redirects the host to a Sundown EK landing page. Below is a partial image of that landing page.
For anyone wanting to see the full text of the landing page you can download the file here: sundownek-landing. The password is the same used by other security researchers. If you need the password send me an email or contact me on Twitter.
I then saw the EK deliver 3 Flash exploits:
I’ve seen some of these Flash exploits before. For example, the first Flash exploit was uploaded to VT on 2016-12-21 13:36:19 UTC and was from RIG-v EK.
We also see the EK retrieve a white PNG image which is used to obtain additional malicious code:
To read more about the steganography technique being used by Sundown see the following TrendMicro blog post http://blog.trendmicro.com/trendlabs-security-intelligence/updated-sundown-exploit-kit-uses-steganography/.
The first file we see being created in %Temp% is a called “OTTYUADAF,” which is script used to download the payload. As a side note, the file hash was identical to one that I first submitted to VT 4 weeks ago (2016-12-22 04:58:45 UTC):
You can also see the Cerber payload being dropped in %Temp% under the name radE76F1.tmp.exe. One folder and two files within that folder are partially named after the machine’s GUID. Following the execution of the executable we see the Cerber check-in traffic via UDP port 6892 (see IOCs above for CIDR ranges).
Below is an image of the Desktop showing it has been changed to display the ransom note, as well as the .hta and .jpg ransom notes being dropped:
The naming convention of the Cerber ransom notes was recently changed to _HELP_HELP_HELP_<random 1-9 A-Z>.hta and .jpg.
As always, block the EK IP and your perimeter firewall(s).