Symantec has found that the Sundown exploit kit (EK) has begun to take advantage of a recent Internet Explorer (IE) vulnerability, CVE-2015-2444. EK has been the first to integrate an exploit for the bug and used it in a recent watering-hole attack on Japan.
The CVE-2015-2444 exploit was first released to the public on 12 August. Microsoft patched this bug in a security update.
Symantec observed attackers using Sundown to exploit this bug in attacks and drop a back door Trojan on computers, primarily affecting users in Japan. The attackers injected an iframe into a valid website, redirecting users to a highly confused landing page which contained the Sundown exploit kit.
When the users arrived to the page, the exploit kit checked the computer for driver files related with particular security software, controlled application environments and traffic-capturing tools. The EK didn't drop exploits if any of these products were present in order to avoid detection.
The exploit kit attempted to exploit vulnerabilities in different software after checking for acceptable conditions. If the kit was successful in exploiting any vulnerabilities, it dropped Trojan.Nancrat onto the victim's computer. The threat acts as back door and steals information from the compromised computer.