IOCs:
- 93.190.143.82 – dp.jev.mobi and nso.fzo.mobi – Sundown EK
Traffic:
Hashes:
SHA256: 37d479720f7d5f5bc2ec8ff93568798ba891bc35514925f4969cbc5a48c869c0
File name: iedetector.js
SHA256: 1230ef25fd9d4238ad80d5e4a0e5d489075edfe9b7321c691f99972de640541b
File name: index2.php.html
SHA256: 0744ba67c5f8210fcdcf4acb328df68780e96d10f2c68b8eddbb9a355bca213e
File name: 9643522803.swf
SHA256: 5aaaa4f18ff200eb46f8be49f720f2462e954c2ef216d1258c6c3ed99ec1d4bf
File name: 947545190441&id=257.swf
SHA256: 67d598c6acbd6545ab24bbd44cedcb825657746923f47473dc40d0d1f122abb6
File name: 78493521.swf
Today I saw Sundown EK using a “pre-landing” page containing script pointing to JavaScript files via relative paths. File /trafficScript/iedetector.js contains JavaScript code, which will execute immediately after the browser receives the file.
Looking at “iedetector.js” shows numerous checks being performed. We can also see that there are comments left in the file:
Once the checks are completed the Sundown EK landing page is requested, this time using “index2.php?”:
We then see the GET requests for the Flash exploits and PNG exploit. I am not sure if this was a test that I caught, a one-off, or something that we might be seeing in the near future.
For anyone interested in taking a look at the files (JavaScript files, Flash exploits, PNG exploit and Sundown EK landing page) you can download them here:
Sundown EK Malicious Artifacts 012117.zip
They are zipped and password protected (same password used by numerous security researchers). Send me an email or hit me up on Twitter if you need the password.
Malware breakdown 
[…] [3] Malware Breakdown […]
LikeLike