Many security researchers tracking exploit kits have noted the lack of Sundown EK activity for several weeks now. A post from Cisco's Talos team came off as a bit of a surprise at the end of March (Threat Spotlight: Sundown Matures), but any doubts were squashed by this tweet on April 8th (Sundown (Beps) and Nebula out ? More than one month since last hits).

Also, whatever happened to Bizarro and Greenflash Sundown EKs? Whether this is a temporary break or yet another dead EK, time will tell.

In the meantime, there has been much noise and some activity from an exploit kit that appeared late last year and which we wrote about in early January. Because of similarities with Sundown EK, we initially thought that it was simply a new variant but it was actually from a different actor and called Terror EK by Spider Labs.

In this post Angler era, we have been accustomed to one hit wonders or bogus kits stolen and repackaged for sale under a different name. Simon Kenin over at Trustwave tracked and exposed the activities of  the author of the Terror EK, going by the handle @666_KingCobra, in various underground forums. To make matters more complicated, there is a thing right now with rebranding and Terror EK has been known to be called Blaze, Neptune, or even Eris.

With all this noise, it's usually a good idea to look at what is actively being seen in the wild versus what may be advertised here and there. Once we see an exploit kit in various distribution campaigns we know it is at least worth looking at.

Malvertising campaigns

We have been monitoring this particular campaign for some time and this is the instance of Terror EK most known about. Various ad networks (low quality traffic) are pushing this at the moment.

Main landing page:

IE exploits:

Call to Flash exploits:

Call to Silverlight exploit:

Malware payload: Smoke Loader

Compromised sites campaign

This is a newer campaign we started to notice just a few days ago with the landing and payloads slightly different.

Redirection to EK:

The compromised websites are leveraged to redirect to the exploit kit landing page in two different ways (but both are implemented). The first is the server 302 redirect call:

But there is also another one done via script injection:

We see both of them in use, but each pushes their own flavour of Terror EK (classic one shown above via malvertising or the newer one). For example, the redir via script injection loads which in turn calls the 'classic' Terror landing:

Landing page:

This one stuffs everything into the landing page (rather than via multiple sessions). No lorem ipsum here, but some pretty lengthy text which precedes the various calls for exploits.

IE exploits:

Flash exploits:

Payload deployment (remember 'Sub fire()'?)

Malware payload: Andromeda

More copycats on the horizon

Sundown EK was notorious for stealing exploits from others and the tradition continues with more copy/paste from the ashes of dead exploit kits. If this harvesting was done on higher grade EKs, we would have a more potent threat but this isn't the case here.

If it weren't for active distribution campaigns, there would be very little to write about those numerous variants until they brought in something more serious to the table.

Malwarebytes users are protected against this exploit kit and its payloads.


Classic Terror EK patterns:
New Terror EK patterns:
Flash exploits:
Smoke Loader: