November 4, 2016
A new exploit kit has arrived which is spreading different versions of Locky ransomware. We spotted two cases of this new threat, which is based on the earlier Sundown exploit kit. Sundown rose to prominence (together with Rig) after the then-dominant Neutrino exploit kit was neutralized.
Called Bizarro Sundown, the first version was spotted on October 5 with a second sighting two weeks later, on October 19. Users in Taiwan and Korea made up more than half of the victims of this threat. Bizarro Sundown shares some features with its Sundown predecessor but added anti-analysis features. The October 19 attack also changed its URL format to closely resemble legitimate web advertisements. Both versions were used exclusively by the ShadowGate/WordsJS campaign.
First identified in 2015, the ShadowGate campaign targeted Revive and OpenX’s open-source advertising servers that have been locally installed. Once compromised, the servers act as gateways to the exploit kit for malware distribution. Some of the domains associated with this campaign were taken down. Recently, we saw the campaign using 181 compromised sites to deliver ransomware. In September we saw ShadowGate using the Neutrino exploit kit to drop a variant of Locky (with the encrypted files having the .zepto extension). On October 5, the campaign shifted to Bizarro Sundown. Two weeks later (October 19), a modified version of Bizarro Sundown was spotted.
Scale and Distribution of the Attacks
The number of Bizarro Sundown victims leads to an interesting finding right away: the number of victims drops to zero on weekends.
Figure 1. Timeline and number of Bizarro Sundown victims
We observed the ShadowGate campaign closing their redirections and removing the malicious redirection script from the compromised server during weekends and resuming their malicious activities on workdays. As for distribution, more than half of the victims were located in only two countries: Taiwan and South Korea. Germany, Italy, and China rounded out the top five countries.
Figure 2. Distribution of Bizarro Sundown attacks, per country basis
Description of the Attacks
The first version of Bizarro Sundown targeted a memory corruption vulnerability in Internet Explorer (CVE-2016-0189, fixed in May 2016) and two security flaws in Flash: a use-after-free vulnerability (CVE-2015-5119) and an out-of-bound read bug (CVE-2016-4117). The first of these was fixed more than a year ago (July 2015), with the second patched earlier this year (May 2016). Bizarro Sundown’s second version leveraged only the two Flash exploits.
The first Bizarro Sundown attacks shared a similar URL format as Sundown. However, it obfuscates its landing pages differently, without using a query string. Bizarro Sundown also added anti-crawling functionality. An increasingly common feature found in exploit kits today, anti-crawling functions are designed to defeat automated crawlers used by researchers and analysts. It was used to deliver a Locky variant which appended the .odin extension for encrypted files.
Figure 3. Traffic of Sundown (above) and Bizarro Sundown (below) exploit kits (click to enlarge)
Two weeks later, we saw a new version of Bizarro Sundown that included changes to its redirection chain; its URLs are now more similar to typical advertising traffic. It can now be integrated more directly into ShadowGate’s new redirection method, which used to rely on scripts to route potential victims to malicious servers. It utilizes a malicious Flash (.SWF) file for this purpose.
Figure 4. Second version of Bizarro Sundown from a compromised ad server (click to enlarge)
Figure 5. Part of code that determines the version of Flash Player installed on the system (click to enlarge)
This file determines the version of Flash Player installed, which is relayed to the exploit kit via a query string. Bizarro Sundown uses that information to deliver the appropriate Flash exploit. This can be seen as a way to streamline redirections by removing intermediaries (landing pages) from the infection chain. During this time, we’ve seen ShadowGate delivering another Locky variant (detected by Trend Micro as RANSOM_LOCKY.DLDSAPZ) that appends a .thor extension to encrypted files.
While a solid backup strategy is a good defense against ransomware, doubling down on sound patch management helps further secure the device’s perimeter. Keeping the operating system and other installed software up-to-date mitigates the risks of exploits targeting vulnerabilities that have already been fixed by software vendors.
Users and enterprises can also benefit from a multilayered approach to security—from gateway, endpoints, networks, and servers. Using a security solution that can proactively provide defense against attacks leveraging system and software vulnerabilities is also recommended.
Hat tip to @kafeine whom we collaborated with in this research/analysis
Some of the indicators of compromise (IoCs) include:
SHA1 detected as RANSOM_LOCKY.DLDSAPZ
Related to ShadowGate:
Related to Bizarro Sundown Exploit Kit:
Updated on November 5, 2016, 09:45 AM (UTC-7)
We clarified what was originally written in the third paragraph regarding how domains used by ShadowGate were taken down. We also listed SHA-1 which we detect as RANSOM_LOCKY.DLDSAPZ, and some of the IoCs related to ShadowGate and Bizarro Sundown.
Updated on November 8, 2016, 09:00 PM (UTC-7)
We have clarified the naming of the second attack, which is called GreenFlash Sundown.