Sundown Exploit Kit Is Lagging Behind Despite Recent Updates
Sundown's Creators Know How to Use the Ctrl+C and Ctrl+V Shortcuts
It's fair to say that the exploit kit market isn't in its heyday at the moment. According to TrendMicro, the number of active kits out there has plummeted from 28 back in 2014 to just seven at the end of June 2016. Sundown popped up in 2015, and although it has managed to survive, it's never really been a top dog in the race for supremacy among exploit kits. In fact, security experts have been left with the impression that the Yugoslavian Business Network, the hacker group that is believed to be behind Sundown, might be a bit lazy.
The crooks who developed the Angler exploit kit, for example, thought that they're quite clever. They are also responsible for the Lurk banking Trojan, and they were renowned for updating both their exploit kit and their Trojan fairly often. Thanks to the frequent updates, Angler quickly became a favorite among malware distributors.
Nuclear, another exploit kit, was receiving new features on a regular basis as well, which means that it too was rather popular with cyber crooks.
By contrast, Sundown spent the first year of its life pretty much untouched, which is why it was struggling to keep up with the industry leaders.
In June, however, it became apparent that the Angler gang isn’t so clever after all. After a police raid, fifty individuals ended up in handcuffs and the exploit kit went down. Days later, Nuclear died as well.
The people behind Sundown realized that the changing landscape might give them the chance to monetize on their creation. First, however, they needed to update it. At the beginning of September, researchers from Trustwave inspected the new features and came to the conclusion that Sundown's creators really are lazy.
Just four exploits were added to the kit, and all of them were stolen. The first one was copy-pasted from Angler, the second one came straight from RIG's source code, the third one was publicly available, and the fourth one was stolen from the Magnitude exploit kit.
With just four old exploits, Sundown will never be able to gain as much attention as the bigger exploit kits, and, not surprisingly, even after the death of Angler and Nuclear, it is still trailing behind more sophisticated offerings like Neutrino and RIG.
That said, although it's not the most popular kit out there, crooks still use it. Recently, researchers found out that the gang behind the CryLocker ransomware, for example, has decided to switch from the RIG exploit kit to Sundown.
The latest findings go to show that no matter how unsophisticated and outdated, an exploit kit still presents a serious threat.