Sundown Exploit Kit via EiTest campaign delivers SmokeBot loader


NOTES:

  • Today I captured traffic from the Sundown Exploit Kit (EK) which delivered a malicious payload via the EITEST campaign.
  • The malicious payload is consistent with the SmokeBot loader, used to download more malware.
  • Thanks to @HenriNurmi for sharing information on the compromised site.

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2016-11-17-Sundown-EK-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • gasthaus-hansi.at – COMPROMISED SITE
  • 164.132.116.52 – nti.6786890.com GET /index.php? – SUNDOWN LANDING PAGE
  • 164.132.116.52 – nti.6786890.com GET /undefined – 404 Not Found
  • 164.132.116.52 – nti.6786890.com GET /4325/542.swf – FLASH EXPLOIT 1
  • 164.132.116.52 – nti.6786890.com GET /4325/127.swf – FLASH EXPLOIT 2
  • 164.132.116.52 – nti.6786890.com GET /undefined – 404 Not Found
  • 164.132.116.52 – nti.6786890.com GET /4325/5364.xap – SILVERLIGHT EXPLOIT
  • 149.202.67.202 – d.888627.info GET /z.php?id=127 – MALICIOUS PAYLOAD
  • 81.177.27.6 – locki.todaymaryland.su POST /xksakaimo/ – POST INFECT TRAFFIC
  • 81.177.27.6 – man.todaymaryland.su POST /xksakaimo/ – POST INFECT TRAFFIC
  • 81.177.27.6 – todaymaryland.su POST /xksakaimo/ – POST INFECT TRAFFIC

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic  associated with the Sundown exploit and the delivery of malicious payload

 

Shown above: Fiddler used to show each stage of infection chain

 

Shown above: Using Wireshark filter “Follow Stream” shows injected script on compromised site associated with the EiTest campaign redirecting to the Sundown EK landing page.

 

MALICIOUS PAYLOAD ASSOCIATED WITH RIG EXPLOIT: