Sundown EK: Pre-Landing Page.

IOCs:

  • 93.190.143.82 – dp.jev.mobi and nso.fzo.mobi – Sundown EK

Traffic:

sundown-ek-pre-landing-page-traffic

Hashes:

SHA256: 37d479720f7d5f5bc2ec8ff93568798ba891bc35514925f4969cbc5a48c869c0
File name: iedetector.js

SHA256: 1230ef25fd9d4238ad80d5e4a0e5d489075edfe9b7321c691f99972de640541b
File name: index2.php.html

SHA256: 0744ba67c5f8210fcdcf4acb328df68780e96d10f2c68b8eddbb9a355bca213e
File name: 9643522803.swf

SHA256: 5aaaa4f18ff200eb46f8be49f720f2462e954c2ef216d1258c6c3ed99ec1d4bf
File name: 947545190441&id=257.swf

SHA256: 67d598c6acbd6545ab24bbd44cedcb825657746923f47473dc40d0d1f122abb6
File name: 78493521.swf

Today I saw Sundown EK using a “pre-landing” page containing script pointing to JavaScript files via relative paths. File /trafficScript/iedetector.js contains JavaScript code, which will execute immediately after the browser receives the file.

sundown-ek-pre-landing-page

Looking at “iedetector.js” shows numerous checks being performed. We can also see that there are comments left in the file:

sundownek-iedetector-js-checks

Once the checks are completed the Sundown EK landing page is requested, this time using “index2.php?”:

sundown-ek-landing-page1

We then see the GET requests for the Flash exploits and PNG exploit. I am not sure if this was a test that I caught, a one-off, or something that we might be seeing in the near future.

For anyone interested in taking a look at the files (JavaScript files, Flash exploits, PNG exploit and Sundown EK landing page) you can download them here:

Sundown EK Malicious Artifacts 012117.zip

They are zipped and password protected (same password used by numerous security researchers). Send me an email or hit me up on Twitter if you need the password.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: