Figure 1. Timeline and number of Bizarro Sundown victimsWe observed the ShadowGate campaign closing their redirections and removing the malicious redirection script from the compromised server during weekends and resuming their malicious activities on workdays. As for distribution, more than half of the victims were located in only two countries: Taiwan and South Korea. Germany, Italy, and China rounded out the top five countries.
Figure 2. Distribution of Bizarro Sundown attacks, per country basisDescription of the Attacks Bizarro Sundown targeted a memory corruption vulnerability in Internet Explorer (CVE-2016-0189, fixed in May 2016) and two security flaws in Flash: a type confusion vulnerability (CVE-2015-7645) and an out-of-bound read bug (CVE-2016-4117). The first of these was fixed a year ago (October 2015), with the second patched earlier this year (May 2016). Bizarro Sundown’s second version leveraged only the two Flash exploits. Bizarro Sundown attacks shared a similar URL format as Sundown. However, it obfuscates its landing pages differently, without using a query string. Bizarro Sundown also added anti-crawling functionality. An increasingly common feature found in exploit kits today, anti-crawling functions are designed to defeat automated crawlers used by researchers and analysts. It was used to deliver a Locky variant which appended the .odin extension for encrypted files.
Figure 3. Traffic of Sundown (above) and Bizarro Sundown (below) exploit kits (click to enlarge)Two weeks later, we saw a new version of Bizarro Sundown that included changes to its redirection chain; its URLs are now more similar to typical advertising traffic. This version was given the name GreenFlash Sundown. It can now be integrated more directly into ShadowGate’s new redirection method, which used to rely on scripts to route potential victims to malicious servers. It utilizes a malicious Flash (.SWF) file for this purpose. This file determines the version of Flash Player installed, which is relayed to the exploit kit via a query string. Bizarro Sundown uses that information to deliver the appropriate Flash exploit. This can be seen as a way to streamline redirections by removing intermediaries (landing pages) from the infection chain. During this time, we’ve seen ShadowGate delivering another Locky variant (detected by Trend Micro as RANSOM_LOCKY.DLDSAPZ) that appends a .thor extension to encrypted files.
Figure 4. GreenFlash Sundown from a compromised ad server (click to enlarge)
Figure 5. Part of code that determines the version of Flash Player installed on the system (click to enlarge)Mitigation While a solid backup strategy is a good defense against ransomware, doubling down on sound patch management helps further secure the device’s perimeter. Keeping the operating system and other installed software up-to-date mitigates the risks of exploits targeting vulnerabilities that have already been fixed by software vendors. gateway, endpoints, networks, and servers. Using a security solution that can proactively provide defense against attacks leveraging system and software vulnerabilities is also recommended. Hat tip to @kafeine whom we collaborated with in this research/analysis Some of the indicators of compromise (IoCs) include: SHA1 detected as RANSOM_LOCKY.DLDSAPZ