The Sundown Exploit Kit (EK), which attempts to fill the gap left by Angler and Nuclear EK, is nothing more than a collection of copied exploits, according to the Trustave SpiderLabs team.
The Sundown, who was first noted in June of 2015, was for a long time a "small player" on the EK market, always below the competition, something even its creators knew and rarely bothered to update their tool.
Things changed after the disappearance of Angler and Nuclear from the spring market, which Zscaler pointed out three months ago in June, when the company announced a sharp increase in activity by the creators of Sundown, the Yugoslav Business Network Yugoslavian Business Network - YBN).
Three months later, Trustwave he says that this increase in activity yielded a boosted Exploit kit, but not in the way many waited.
Instead of developing their own exploits, the Sundown team just stole exploits from other EKs or copied ones that were available for free on the internet.
According to a technical analysis of the Sundown exploitation chain, Trustwave researchers found four different exploits:
They say that YBN was stolen first by Angler (IE exploit - CVE-2015-2419), the second was stolen by RIG EK (Silverlight exploit - CVE-2016-0034), the third took it from the Hacking Team data dump exploit - CVE-2015-5119) and the fourth stole it from Magnitude EK (Flash exploit - CVE-2016-4117).
His team Angler, which was in fact a group of criminals who originally developed the Lurk banking trojan, was famous for adding ever new exploits to their EKs since they first appeared on the market.
Almost certainly, the YBN team will not acquire new customers unless they start offering better exploits, but also newer ones. The team also needs a larger arsenal, as 4-5 exploits are hard to cover all the bases for a serious malvertising campaign.
Sundown's dull effort is why a recent Zscaler report reports Neutrino and RIG as the two top exploits, with Magnitude and Sundown staying back in the rankings.
According to Zscaler, in recent months, Neutrino is mostly used for the delivery of Gamarue malware dropper, Tofsee backdoor trojan and CryptXXX and CripMIC ransomware.
On the other hand, Rig distributes Tofsee, the Cerber ransomware, as well as Gootkit and Vawtrack banking trojans. Magnitude continued to spread Cerber ransomware, as it always did.