CVE-2015-1671 (silverlight up to 5.1.30514.0) and Exploit Kits

July 21, 2015, 12:11 pm

≫ Next: CVE-2014-2419 (Internet Explorer) and Exploits Kits

≪ Previous: CVE-2015-5122 (HackingTeam 0d two - Flash up to 18.0.0.203) and Exploit Kits

Patched with ms15-044 CVE-2015-1671 is described as TrueType Font Parsing Vulnerability.
Silverlight up to 5.1.30514.0 are affected, but note : most browser will warn that the plugin is outdated

Out of date Plugin protection in Chrome 39.0.2171.71

Out of date ActiveX controls blocking in Internet Explorer 11
(introduced in August 2014)

and also consider that Microsoft announced the end of Silverlight at beginning of the month.

Angler EK :
2015-07-21

Around the 1st of July some new Silverlight focused code appeared in Angler EK landing.
It even seems coders made some debug or something wrong as you could see this kind of popup several hours long on Angler EK.

Deofuscated snipet of Silverlight call exposed to Victims in Angler EK
2015-07-02

I failed trying to get something else than a 0 size silverlight calls.
I heard about filled calls from Eset and EKWatcher.
The exploit sent was 3fff76bfe2084c454be64be7adff2b87 and appears to be a variation of CVE-2015-1671 (Silverlight 5 before 5.1.40416.00). I spent hours trying to get a full exploit chain....No luck. Only 0size calls.

But, it seems it's back today (or i get more lucky ? ) :

--
Disclaimer : many indicators are whispering it's the same variation of CVE-2015-1671, but I am still waiting for a strong confirmation
--

Silverlight 5.1.30514.0 exploited by Angler EK via CVE-2015-1671 in IE 11 on Windows 7
2015-07-21

Silverlight 5.1_10411.0 exploited by Angler EK via CVE-2015-1671 in Chrome 39 on Windows 7
2015-07-21

Silverlight 5.1.30514.0 exploited by Angler EK via CVE-2015-1671 in Firefox 38 on Windows 7
2015-07-21

Two x86 - x64 dll are encoded in the payload stream with XTea Key : m0boo69biBjSmd3p

Silverlight dll in DotPeek after Do4dot

Sample in those pass : ac05e093930662a2a2f4605f7afc52f2
(Out of topic payload is bedep which then gather an adfraud module - you have the XTea key if you want to extract)

Files: Fiddler (password is malware)

Thanks for help/tips :
Eset, Microsoft, Horgh_RCE, Darien Huss, Will Metcalf, EKWatcher.

Read more :
CVE-2013-0074/3896 (Silverlight) integrates Exploit Kits - 2013-11-13

↧

CVE-2014-2419 (Internet Explorer) and Exploits Kits

August 10, 2015, 3:38 pm

≫ Next: CVE-2015-5560 (Flash up to 18.0.0.209) and Exploit Kits

≪ Previous: CVE-2015-1671 (silverlight up to 5.1.30514.0) and Exploit Kits

As published by FireEye Angler EK is now exploiting CVE-2014-2419 fixed with MS15-065

Angler EK :
2015-08-10

It seems they might have started to work on that exploit as early as 2015-07-24 where some instances briefly used code to gather ScriptEngineVersion from redirected visitors :

Angler EK gathering ScriptEngineVersion data the fast way.
2015-07-24

Today first pass i made was showing a new POST call and was successfully exploiting a VM that used to be safe to Angler.

CVE-2015-2419 successfully exploiting IE11 in windows 7
2015-08-10
(Here bedep grabbing Pony and TeslaCrypt then doing some AdFraud)

I spent (too much ;) ) time trying to decode that b value in the POST reply.
Here are some materials :

- The landing after first pass of decoding and with some comments : http://pastebin.com/JQuyAXar

The post call is handled by String['prototype']['jjd'] , ggg is sent to Post data as well as the ScriptEngineVersion (in the shared pass : 17728 )

- The l() function handling the post : http://pastebin.com/hxZJwbaY
- The post data and reply after first pass of decoding : http://pastebin.com/raw.php?i=NWkU7CXr

Files :2 Fiddlers (ScriptEngineVersion Gathering and successfull pass - use malware as password)

Thanks :
Horgh_RCE for his help

Read More :
CVE-2015-2419 – Internet Explorer Double-Free in Angler EK - 2015-08-10 - Sudeep Singh, Dan Caselden - FireEye
2015-08-10 - ANGLER EK FROM 144.76.161.249 SENDS BEDEP This pass shared by Brad from Malware-Traffic-Analysis is including the CVE-2015-2419

↧

CVE-2015-5560 (Flash up to 18.0.0.209) and Exploit Kits

August 30, 2015, 11:55 pm

≫ Next: Shifu

≪ Previous: CVE-2014-2419 (Internet Explorer) and Exploits Kits

Patched with flash version 18.0.0.232, CVE-2015-5560 is now being exploited by Angler EK.

Angler EK :
2015-08-29
[Edit : 2015-09-01] Exploit candidated by Kasperky as CVE-2015-5560 [/edit]
The exploit has been added the 28th. It's not being sent to Flash 18.0.0.232..
It uses the same Diffie-Hellman Key Exchange technique described by FireEye as in their CVE-2015-2419 implementation making a default fiddler unreplayable.

Angler EK pushing Bedep to Win7 IE11 Flash 18.0.0.209 - CVE-2015-5560

2015-08-29

Sample in that pass : 9fbb043f63bb965a48582aa522cb1fd0
Fiddler sent to VT (password is malware)
Note: with help from G Data, a replayable fiddler is available. No public share (you know how to get it).

Nuclear Pack :
2015-09-10
Additional post spotted on the 2015-09-10

Nuclear Pack additionnal post on 2015-09-10 showing integration of CVE-2015-5560 was on the road

and got a first payload the day after :

Nuclear Pack successfully exploiting Flash 18.0.0.209 with CVE-2015-5560 (rip from Angler)
2015-09-11

( Out of topic payload : 91b76aaf6f7b93c667f685a86a7d68de Smokebot C&C hostnamessimply1.effers .com: )
Files :Fiddler here (Password is malware)

Read More :
Adobe Flash: Overflow in ID3 Tag Parsing - 2015-16-12 Google Security Research
Three bypasses and a fix for one of Flash's Vector.<*> mitigations - 2015-08-19 - Chris Evans - Google Project Zero
CVE-2015-2419 – Internet Explorer Double-Free in Angler EK - 2015-08-10 - FireEye
Bedep’s DGA: Trading Foreign Exchange for Malware Domains - 2015-04-21 - Dennis Schartz - Arbor Sert
Post publication reading :
Attacking Diffie-Hellman protocol implementation in the Angler Exploit Kit - 2015-09-08 Kaspersky

↧

Shifu

September 24, 2015, 1:04 pm

≫ Next: A DoubleClick https open redirect used in some malvertising chain

≪ Previous: CVE-2015-5560 (Flash up to 18.0.0.209) and Exploit Kits

I noticed since several days a shift in malware distribution in the UK.
Many infection path that I follow are now dropping a banker that i already saw many times, especially at the end of 2014 and mostly in Italy.

First time I encountered that threat : 2014-10-08

Angler EK dropping 165146e43ccee9c29b62693caf290df7 in an IT focused infection path
2014-10-08

At that time I learnt from Frank Ruiz ( FoxIT ) that he spotted it 1 month earlier (2014-09-03 exactly). We were using a "non public" name to talk about it.

So two days ago in UK traffic :

2015-09-22 - An Angler EK dropping 0598ee3e06c681d7f9e05d83bb7ea422
via malvertising on GBR traffic

I saw that banking trojan again. (note : contacted, Frank Ruiz told me that this banker activity never really stopped). What was new to me is that it was installing Apache,

Apache folder installed by 0598ee3e06c681d7f9e05d83bb7ea422
2015-09-22

Apache Config

Data folder of the Apache installation

Customers of 4 financial institutions are targeted by the injects stored in the config.xml

config.xml

The same day i saw it again, other malvertising campaign (read: other actor bringing the traffic) and not dropped directly but as a 2nd Stage in a bedep thread which was not grabbing an adfraud module:

Angler EK pushing bedep grabbing 791491ba9f0a7670659f45f1e5421c83
2015-09-22

Seeing it again today in malvertising campaign focused on UK, I decided to write about that and contacted Brett StoneGross (Dell SecureWorks) to try and get the 'defense name' for this. He told me that what I was describing was probably Shifu..and fast confirmed it looking at the sample.

So here we are: Shifu <3 GBR

Shifu <3 GBR
2015-09-24

Side note : Here are some of the DGA in case main domain stop working.

Files :ShifuPackage_2015-09-24.zip Password : malware

Contains : 4 fiddler, 1 pcap, 6 samples and 2 apache config folder (with injects).

Thanks: Frank Ruiz (Foxit) and Brett StoneGross (Dell SecureWorks) for their inputs/insight/awesomeness.

Read More:
Shifu: ‘Masterful’ New Banking Trojan Is Attacking 14 Japanese Banks - 2015-08-31 - Limor Kessem - IBM X-Force
Japanese Banking Trojan Shifu Combines Malware Tools - 2015-09-24 - Diwakar Dinkar - McAfee

↧

A DoubleClick https open redirect used in some malvertising chain

October 15, 2015, 6:05 am

≫ Next: CVE-2015-7645 (Flash up to 19.0.0.207) and Exploit Kits

≪ Previous: Shifu

In the post on the UK focused Shifu I illustrated malvertising traffic to Angler.

The traffer group behind this activity is the same exposed by BelchSpeak from Invincea in many tweets (explaining the addition of code to spot Invincea Sandbox) FoxIT in june, Malwarebytes in September, or Trendmicro 2 weeks ago.

As it's easier to have a name to share/talk about stuff i'll use "VirtualDonna Traffers" to refer to them (virtualdonna .com is one of the domains they used that got some attention)

Earlier this year they were using https bit.ly,

2015-07-11 - bit.ly as https url shortener

tiny url

2015-07-11 - tiny url as https url shortener

or goo.gl url shortener

2015-06-12 - goo.gl as https url shorterner

and switched to their own https redirector behind cloudflare around the middle of September ( naotsandhap.eu

Two pass here : same source (Dailymotion), same country (Australia), same Traffer for same customer
(how/why? same payload : Reactorbot srvdexpress3 .com)
Different Legit part of the chain
2015-09-29

then 2 weeks ago mediacpm.com and wrontoldretter.eu )

https gives the traffer the ability to kill the referer chain (making it more difficult to figure out where the Exploit Kit landing spotted in the traffic is coming from).
Once discovered a way to Sig this is to flag the ssl certificate being used.

Those days they are using a DoubleClick https open redirect.

VirtualDonna Traffers exploiting an https open redirect by Doubleclick in its chain to Angler EK

GB - 2015-10-15

Out of topic Payload in that pass : Shifu - 695d6fbd8ab789979a97fb886101c576 beaconing to nyctradersacademy .com

Doubleclick has been informed about the issue.

↧

CVE-2015-7645 (Flash up to 19.0.0.207) and Exploit Kits

October 29, 2015, 1:30 am

≫ Next: Inside Jahoo (Otlard.A ?) - A spam Botnet

≪ Previous: A DoubleClick https open redirect used in some malvertising chain

The CVE-2015-7645 has been fixed with Adobe Flash Player 19.0.0.226. Spotted in the wild (2015-10-13) in APT28's exploit kit by TrendMicro, this exploit was already reported 2 weeks before (2015-09-29) to Adobe by Natalie Silvanovich.

I reported the Flash 0-day (CVE-2015-7645) two weeks before it was found in the wild https://t.co/nYeAWRG5jO
— Natalie Silvanovich (@natashenka) 16 Octobre 2015

It has now made its way to Exploit Kit

Angler EK :
2015-10-29
CVE id confirmed by Kaspersky.

Angler EK successfully exploiting Flash 19.0.0.207
2015-10-29

Flash sample in that pass : 4af57fb1c71bb9c1599371d48240ff36
Another sample : bea824974f958ac4efc58484a88a9c18
One more from the Poweliks instance : 0d72221d41eff55dcfd0da50cd1c545e

Not replayable fiddler sent to VT

Out of topic sample loaded by bedep :
5a60925ea3cc52c264b837e6f2ee915e Necurs
a9d5a9a997954f5421c94ac89d2656cd Vawtrak ( < that one was not expected in that infection path)

Nuclear Pack:
2015-10-30
Nuclear Pack which has been playing with landing URI pattern lately has integrated it

CVE-2015-7645 in Nuclear Pack on 2015-10-30

Sample in that pass : f5dd2623ae871d58483bf14ec5d635e4

Out of topic payload : 0b3de2a8d838883e10a1d824d20fe95c Kelihos Loader (harsh02)

Fiddler sent to VT

↧

Inside Jahoo (Otlard.A ?) - A spam Botnet

November 28, 2015, 6:24 am

≫ Next: Nuclear Pack loads a fileless CVE-2014-4113 Exploit

≪ Previous: CVE-2015-7645 (Flash up to 19.0.0.207) and Exploit Kits

Trash and Mailbox by Bethesda Softworks

Otlard.A (or let's say at least the malware triggering 2806902 || ETPRO TROJAN Win32.Otlard.A C&C Checkin response ) is a Spam Botnet

I saw it loaded as a plugin in an instance of Andromeda

That Andromeda is being spread via :

Bedep build id 6005 and here 6007 from an Angler EK fed by Malvertising :

VirtualDonna group redirecting traffic to an Angler instance loading Bedep buildid 6007 in memory
Bedep 6007 loading Andromeda 55ead0e4010c7c1a601511286f879e33 before update task.
2015-09-28

Note : Bedep 6007 was sometimes loading it with other payload
-2015-09-16 for : ec5d314fc392765d065ff16f21722008 with Trapwot (FakeAV) e600985d6797dec2f7388e86ae3e82ba and Pony a4f08c845cc8e2beae0d157a3624b686
-2015-09-29 for : 37898c10a350651add962831daa4fffa with Kovter ( 24143f110e7492c3d040b2ec0cdfa3d0 )
That Andromeda beaconing to dnswow .com enslaved >10k bots in a week :

Andromeda dnswow 2015-11-22

Andromeda dnswow 2015-11-27

Here the Otlard.A task in that Andromeda instance :

Task installing Otlard.A as a plugin to Andromeda

a Task in a Smokebot dropped by Nuclear Pack fed by Malvertising :

Malvertising > Nuclear Pack > Smokebot > Stealer, Ramnit, Htbot and Andromeda > Otlard.A

2015-11-28

Smokebot : cde587187622d5f23e50b1f5b6c86969
Andromeda : b75f4834770fe64da63e42b8c90c6fcd
(out of topic Ramnit : 28ceafaef592986e4914bfa3f4c7f5c0 - It's being massively spread those days in many infection path. (Edit 2015-12-29 : Htbot.B : d0a14abe51a61c727420765f72de843a named ProxyBack by PaloAlto)

Now here is what the control panel of that plugin looks like :

Otlard.A panel :

Otlard.A - JahooManager - Main - 2015-09-27

Otlard.A - JahooManager - Servers - 2015-09-27

Otlard.A - JahooManager - Settings - 2015-09-27

Otlard.A - JahooManager - Campaigns - 2015-09-27

Otlard.A - JahooManager - Bot - 2015-09-27
that exe is : 2387fb927e6d9d6c027b4ba23d8c3073 and appears to be Andromeda

Otlard.A - JahooSender - Tasks - 2015-09-27

Otlard.A - JahooSender - Tasks - 2015-11-28

Otlard.A - JahooSender - Tasks - Done Task - 2015-09-27

Otlard.A - JahooSender - Domains - 2015-09-27

Otlard.A - JahooSender - Domains - 2015-11-28

Otlard.A - JahooSender - Messages - 2015-09-27

Otlard.A - JahooSender - Messages - 2015-11-28

Otlard.A - JahooSender - Messages - Edit a Message - 2015-11-28

Otlard.A - JahooSender - Headers - 2015-11-28

Otlard.A - JahooSender - Headers - Editing Header - 2015-11-28

Otlard.A - JahooSender - Macross - 2015-11-28

Otlard.A - JahooSender - Macross - Editing macross - 2015-11-28

Otlard.A - JahooSender - Attach - 2015-11-28

Otlard.A - JahooSender - Attach - Attached image - 2015-11-28

Otlard.A - JahooSender - Rules - 2015-11-28

Otlard.A - JahooSender - Rules > Spam - 2015-11-28

Olard.A - JahooSender - Rules > User - 2015-11-28

Olard.A - Bases - Emails - 2015-11-28

Olard.A - Bases - Blacklist - 2015-11-28

Olard.A - Bases - Blacklist - Edit - 2015-11-28

Olard.A - Botnet - Main - 2015-09-27

Olard.A - Botnet - Main - 2015-11-28

Otlard.A - Botnet - Modules - 2015-11-28

Otlard.A - Botnet - Modules - Edit - 2015-11-28

Otlard.A - Incubator - Accounts - 2015-11-28

Otlard.A - Incubator - Settings - 2015-11-28

Note : registrator menu has disappeared in last version.

--
Andromeda C&C 2015-11-28 :
5.8.35.241
202023 | 5.8.35.0/24 | LLHOST | EU | llhost-inc.com | LLHost Inc

Spam Module C&C 2015-11-28 :
5.8.32.10
5.8.32.8
5.8.32.52
5.8.34.20
5.8.32.53
5.8.32.56
202023 | 5.8.32.0/24 | LLHOST | EU | zanufact.com | LLHost Inc

Thanks : Brett StoneGross for helping me with decoding/understanding the network communications

Files :
All samples which hashes have been discussed here are in that zip.
Jahoo - socker.dll : 7d14c9edfd71d2b76dd18e3681fec798
( If you want to look into this, i can provide associated network traffic)

Read More :

Inside Andromeda Bot v2.06 Webpanel / AKA Gamarue - Botnet Control Panel 2012-07-02
Inside Pony 1.7 / Fareit C&C - Botnet Control Panel - 2012-06-27
Inside Smoke Bot - Botnet Control Panel - 2012-04-28

Post publication Reading :
ProxyBack Malware Turns User Systems Into Proxies Without Consent - 2015-12-23 - JeffWhite - PaloAlto

↧

Nuclear Pack loads a fileless CVE-2014-4113 Exploit

December 1, 2015, 4:12 am

≫ Next: CVE-2015-8446 (Flash up to 19.0.0.245) And Exploit Kits

≪ Previous: Inside Jahoo (Otlard.A ?) - A spam Botnet

Yesterday's Nymaim spam campaign was also redirecting to Nuclear Pack.
Without big surprise the sample ( 592899e0eb3c06fb9fda59d03e4b5b53 ) dropped by Nuclear is the same as the fake update proposed.

But there was an additionnal 11kb payload call for which i could not find sample on drive

Nuclear Pack dropping Nymaim in the 2015-11-30 Spam Campaign

It was also unusually encoded with two XOR pass and first part of the decoded stream is a Shellcode.

Friends (who don't want to be mentioned) figured a privilege escalation was in use there :

According to Kaspersky and Timo Hirvonen (F-Secure) it's CVE-2014-4113 ( Win32k.sys Elevation of Privilege Vulnerability )

I did not got to see the privilege escalation in live condition.

Note: it's not the first time a public Exploit Kit is integrating an exploit to escalates right on dropped payload (Cf CVE-2015-2426 in Magnitude )

Files : Fiddler and Dll here(password is malware - XOR key : 56774347426F664767 then 213404052d09212031)
Thanks : Kaspersky, Timo Hirvonen , Malc0de and 2 other friends for taking some time and use their wizardness on this.

Read More :
An Analysis of A Windows Kernel-Mode Vulnerability (CVE-2014-4113) - 2014-10-29 - TrendMicro

↧

CVE-2015-8446 (Flash up to 19.0.0.245) And Exploit Kits

December 15, 2015, 5:29 am

≫ Next: XXX is Angler EK

≪ Previous: Nuclear Pack loads a fileless CVE-2014-4113 Exploit

One week after patch Flash 19.0.0.245 is being exploited by Angler EK via CVE-2015-8446

Angler EK :
2015-12-14
CVE identification by Anton Ivanov ( Kaspersky ) and FireEye (Thanks !)

Angler EK exploiting Flash 19.0.0.245 via CVE-2015-8446

2015-12-14

Sample in that pass : b5920eef8a3e193e0fc492c603a30aaf
Sample from other Angler EK instance : 0615fb9e037b7bf717cc9b04708e51da 720089b93a0f2bb2a72f1166430de522

Fiddler sent to VT.
(Not replayable. You know how to contact me to land on live instances. I might not reply to mail coming from gmail,live,yahoo etc... mailboxes)

Out of topic : in that pass Bedep BuildID 5004 is loaded in Memory and is then grabbing those 2 dll in a stream
f5c1a676166fe3472e6c993faee42b34
d65f155381d26f8ddfa304c83b1ad95a
and after that performing Adfraud

CVE-2015-8446 in Angler EK - malicious mp3 is stored in encrypted JSON (same schema as in CVE-2015-5560). pic.twitter.com/FCyvP43Q0X
— Anton Ivanov (@antonivanovm) December 17, 2015

Last safe version of Flash against commercial exploit kit was 19.0.0.226 fixing CVE-2015-7645

Post publication readings :
(Google Translate) Angler EK latest CVE-2015-8446 Flash Exploit analysis - 2015-12-19 - Qihoo360

↧

XXX is Angler EK

December 21, 2015, 5:16 am

≫ Next: CVE-2015-8651 (Flash up to 20.0.0.228/235) and Exploit Kits

≪ Previous: CVE-2015-8446 (Flash up to 19.0.0.245) And Exploit Kits

Snipshot of MonterAV Affiliate

As I got many questions about an EK named XXX (that is said to be better than Angler ;) ) I decided to share some data here.

XXX is Angler EK ( it's the real name of its most documented instance at least)

Angler EK / XXX IE sploit only Stats on 2015-07-25
(for some reason Flash Exploits were not activated on that thread)
Note the Chase Logo >> JPMorgan >> Cool EK's Exploit Buyer ;)

You might want to read "The Transition - "Reveton Team" or "Mr.J/Monster AV" from :
Paunch's arrest...The end of an Era ! (2013-10-11) . This is where I first wrote the defense chosen name for this Exploit Kit. The name is chosen after a logo from the Reveton Affiliate.

Snipshot of "The Transition" after Paunch's Arrest

But Angler was around before the Reveton team started to use it.

Here is one used against Ukrainian that i captured in August 2013

2013-08-27 - Exploit Kit unknown to me at that time
Ancestor of Angler EK as we know it

when Reveton Team was still on Cool EK. It appears that instance had already Fileless capabilities.

A Russian researcher friend connect that instance back to this Securelist post from 2012-03-16 : A unique ‘bodiless’ bot attacks news site visitors

So the (c) 2010 at the bottom of the control panel is probably...the real birth year of Angler.

This indexm.html variant of Angler EK is most probably still being used in RU/UA and was one of the early adopter of CVE-2015-0311 (a flash 0day from January) before many "standard" instances of Angler. There was still java exploit inside in march

2015-01-27 - Angler EK "indexm" exploiting CVE-2015-2551 and firing Java exploits

Angler EK has been briefly mentioned (translation here ) as part of a "partnerka" by a user using Menatep as Nickname in February 2014

Conclusion : xxx is what we call Angler EK and Angler EK (indexm instance) is not that young!

Files :2 Fiddler pass of Angler EK "indexm" from 2013 and 2015 (Password : malware)

Read More :
Police Locker land on Android Devices - 2014-05-04
Paunch's arrest...The end of an Era ! - 2013-10-11
Crimeware Author Funds Exploit Buying Spree - 2013-01-07 - KrebsOnSecurity
Cool Exploit Kit - A new Browser Exploit Pack on the Battlefield with a "Duqu" like font drop - 2012-10-09
A unique ‘bodiless’ bot attacks news site visitors - 2012-03-16 - Sergey Golovanov - Securelist

↧

CVE-2015-8651 (Flash up to 20.0.0.228/235) and Exploit Kits

January 25, 2016, 2:51 am

≫ Next: Cryptowall son of Borracho (Flimrans) ?

≪ Previous: XXX is Angler EK

While other exploit kit are struggling to keep up with Angler (none is firing CVE-2015-8446 , maybe because of the Diffie-Hellman protection on Angler's exploits ),

- Nuclear / Magnitude and Neutrino last exploits are from October (CVE-2015-7645)

- RIG and Sundown are relying on July exploits (Hacking Team's one - CVE-2015-5122)
( all have the IE CVE-2015-2419 from august)

Angler has just integrated CVE-2015-8651 patched with Flash 20.0.0.270 on 2015-12-28

Angler EK : 2016-01-25
The exploit might be here since the 22 based on some headers modification which appeared that day.
It's not yet pushed in all Angler EK threads but widely spread.
Thanks Anton Ivanov (Kaspersky) for CVE Identification !

CVE-2015-8651 (and CVE-2015-2419) being successfully exploited by Angler EK to load bedep in memory
2016-01-25

Fiddler sent to VT.

---
Another pass via the "noisy" Cryptowall "crypt13x" actor which threads also has it :

CVE-2015-8651 being successfully exploited by Angler EK to load Cryptowall (crypt13001)
from the widely spread and covered "crypt13x" actor thread - 2016-01-25

(Out of Topic payload : 5866906a303b387b9918a8d7f8b08a51 Cryptowall crypt13001 )

I have been told by Eset that the exploit is successful on Flash 20.0.0.235 and Firefox.

Read More:
(GoogleTranslate - via @eromang ) Offshore "Dark Hotel" organization of domestic business executives launched APT attacks - 2015-12-31 - ThreatBook

Post publication reading :
An Analysis on the Principle of CVE-2015-8651 - Antiy Labs - 2016-01-26

↧

Cryptowall son of Borracho (Flimrans) ?

February 10, 2016, 12:15 pm

≫ Next: CVE-2016-0034 (Silverlight up to 5.1.41105.0) and Exploit Kits

≪ Previous: CVE-2015-8651 (Flash up to 20.0.0.228/235) and Exploit Kits

Lately I received multiple questions about connection between Reveton and Cryptowall.
I decided to have a look.

A search in ET Intelligence portal at domains from Yonathan's Cryptowall Tracker

ET Intelligence search on Specspa .com

show that the first sample ET has talking with it is :
e2f4bb542ea47e8928be877bb442df1b 2013-10-20

A look at the http connexion shows the "us.bin" call mentioned by Yonathan (btw the us.bin item is still live there)

ET Intelligence : e2f4bb542ea47e8928be877bb442df1b http connexions

ET Intelligence : Associated alert pointing at Cryptowall.

A look into VirusTotal Intelligence shows that this sample is available in a Pcap captured and shared by ThreatGlass :

NSFW://www.threatglass .com/malicious_urls/sunporno-com

Himan EK dropping Cryptowall 2013-10-20

captured by ThreatGlass

With the same referer and in the same Exploit Kit i got dropped 20 days earlier Flimrans :
(See : http://malware.dontneedcoffee.com/2013/10/HiMan.html )

Flimrans disappeared soon after this post from 2013-10-08 about the affiliate :
http://malware.dontneedcoffee.com/2013/10/flimrans-affiliate-borracho.html

Interestingly Flimrans is showing in US the same Design from Reveton pointed by Yonathan :

Flimrans US 2013-10-03

What is worth mentioning is that Flimrans was the only ransomware (i am aware of) to show a Spanish version of this same design :

Flimrans ES 2013-10-03

The timeline is also inline with a link between those two Ransomware (whereas Reveton was still being distributed months after these events).

Digging into my notes/fiddlers i even found that this bworldonline .com which is still hosting the us.bin was in fact also the redirector to HiMan dropping Flimrans 20 days earlier from same sunporno upper.
[The credits goes to Eoin Miller who at that time pointed that infection path allowing me to replay it]

The compromised server storing the first design Blob used by cryptowall
used to redirect 20 days earlier to Himan dropping Flimrans (which is using that same design).

So...Cryptowall son of Borracho? I don't know for sure...but that could to be a possibility.

Files : Items mentionned here. (password is malware)

Read More:
HiMan Exploit Kit. Say Hi to one more - 2013-10-02
Flimrans Affiliate : Borracho - 2013-10-08

↧

CVE-2016-0034 (Silverlight up to 5.1.41105.0) and Exploit Kits

February 22, 2016, 9:17 am

≫ Next: CVE-2016-1010 (??? - Flash up to 20.0.0.306) and Exploit Kits

≪ Previous: Cryptowall son of Borracho (Flimrans) ?

Fixed with the January 2016 Microsoft patches, CVE-2016-0034 ( MS16-006 ) is a Silverlight Memory Corruption vulnerability and it has been spotted by Kaspersky with rules to hunt Vitaliy Toropov’s unknown Silverlight exploit mentioned in HackingTeam leak.

Angler EK :

On the 2016-02-18 the landing of Angler changed slightly to integrate this piece of code :

Silverlight integration Snipet from Angler Landing after decoding
2016-02-18

resulting in a new call if silverlight is installed on the computer:

Angler EK replying without body to silverlight call
Here a Pass in great britain dropping Vawtrak via Bedep buildid 7786
2016-02-18

I tried all instances i could find and the same behavior occured on all.

2016-02-22 Here we go : call are not empty anymore.

Angler EK dropping Teslacrypt via silverlight 5.1.41105.0 after the "EITest" redirect
2016-02-22

I made a pass with Silverlight : 5.1.41212.0 : safe.

Edit1 : I received confirmation that it's indeed CVE-2016-0034 from multiple analyst including Anton Ivanov (Kaspersky). Thanks !

Xap file : 01ce22f87227f869b7978dc5fe625e16
Dll : 22a9f342eb367ea9b00508adb738d858
Out of topic payload : 6a01421a9bd82f02051ce6a4ea4e2edc (Teslacrypt)
Fiddler sent here

Reading :
The Mysterious Case of CVE-2016-0034: the hunt for a Microsoft Silverlight 0-day - 2016-01-13 - Costin Raiu& Anton Ivanov - Kaspersky

↧

CVE-2016-1010 (??? - Flash up to 20.0.0.306) and Exploit Kits

March 26, 2016, 5:53 am

≫ Next: CVE-2016-1019 (Flash up to 21.0.0.182/187) and Exploit Kits

≪ Previous: CVE-2016-0034 (Silverlight up to 5.1.41105.0) and Exploit Kits

NB : the CVE id is not confirmed yet.This one is used with the same "power".
I'll fix/replace if it appears to be the wrong id.

Two weeks after Flash patch, two months after last Flash exploit integration in Angler, on the 2016-03-25 Angler EK, in some threads, is starting to send an exploit to Flash Player 20.0.0.270 and 20.0.0.306

I tried multiple configuration but I was not able to get exploited. The following day I got successful infections with Flash 20.0.0.270 and 20.0.0.306. This is a good candidate for CVE-2016-1010. I asked help to get an identification.

Angler EK :
2016-03-25

2016-03-26 - Angler EK successfully exploiting Flash 20.0.0.306 in Internet Explorer 11 on Windows 7

Fiddler sent to VT here.
Hash of the associated SWF fwiw : b609ece7b9f4977bed792421b33b15da

Observed as well : ab24d05f731caa4c87055af050f26917 - c4c59f454e53f1e45858e95e25f64d07

NB : this is just "one" pass. This exploit can be used to spread whatever Angler EK customers want to spread .

Selected examples I saw in the last 4 days :

Teslacrypt (ID 20, 40,52, 74 ,47) ,

Locky (affid 14 - 7f2b678398a93cac285312354ce7d2b7 and affid 11 - f417b107339b79a49e4e63e116e84a32),

GootKit b9bec4a5811c6aff6001efa357f1f99c,

Vawtrak 0dc4d5370bc4b0c8333b9512d686946c

Ramnit 99f21ba5b02b3085c683ea831d79dc79

Ursnif (DGA nasa) 11d515c2a2135ca00398b88eebbf9299

BandarChor, (several instances, ex f97395004053aa28cadc6d4dc7fc0464 - 3c9b5868b4121a2d48b980a81dda8569 )

Graybird/LatentBot f985b38f5e8bd1dfb3767cfea89ca776

Dridex - b0f34f62f49b9c40e2558c1fa17523b5 (this one was 10 days ago..but worth a mention)

Andromeda (several instances)

and obviously many Bedep threads and their stream of PE (evotob, reactorbot (several instances), Tofsee, Teslacrypt,Kovter, Miuref)

↧

CVE-2016-1019 (Flash up to 21.0.0.182/187) and Exploit Kits

April 8, 2016, 1:51 am

≫ Next: Bedep has raised its game vs Bot Zombies

≪ Previous: CVE-2016-1010 (??? - Flash up to 20.0.0.306) and Exploit Kits

Spotted in a "degraded" version on the 2016-04-02 in Magnitude, live also since 2016-03-31 in Nuclear Pack, Adobe was really fast at fixing this vulnerability with the patch released on the 2016-04-07 bringing Flash Player to version 21.0.0.213

It's not the first time a "0day" exploit is being used in a "degraded" state.
This happened before with Angler and CVE-2015-0310 and CVE-2014-8439

You'll find more details about the finding on that Proofpoint blog here :
"Killing a zero-day in the egg: Adobe CVE-2016-1019"
and on that FireEye blog here:
CVE-2016-1019: A new flash exploit included in Magnitude Exploit Kit
Note : we worked with Eset, Kaspersky and Microsoft as well on this case.

Nuclear Pack :
2016-03-31 "Degraded"
Identification by Eset, Kaspersky and FireEye (Thanks)

Exploit sent to Flash Player 20.0.0.306 by Nuclear Pack on the 2016-03-31
CVE-2016-1019 inside

Sample in that pass: 301f163644a525155d5e8fe643b07dceac19014620a362d6db4dded65d9cad90
Out of topic example of payload dropped that day by that instance of Nuclear : 42904b23cff35cc3b87045f21f82ba8b (locky)

Note the string "CVE-2016-1001" in the Nuclear Pack, explaining why maybe this exploit is being used in a degraded state.

CVE-2016-1001 string spotted by Denis O'Brien (Malwageddon), the 2016-04-05 in Nuclear Pack exploit

Magnitude :
2016-04-02 "Degraded" to 20.0.0.306
Identified as is by FireEye
[2016-04-07: TrendMicro told me they found some hits for this exploit in Magnitude back from 2016-03-31 as well]

Magnitude exploiting Flash 20.0.0.306 with CVE-2016-1019 the 2016-04-02 in the morning.
Payload is Cerber.

Side note : the check on the redirector in front of Magnitude ( http://pastebin.com/raw/gfEz25fa ) which might have been fixed with the CVE-2015-2413 was in Magnitude landing itself from September to end of November 2015.

res:// onload check features unobfuscated at that time in Magnitude Landing 2015-09-29

Sample in that pass: 0a664526d00493d711ee93662a693eb724ffece3cd68c85df75e1b6757febde5
Out of topic payload: 9d92fb315830ba69162bb7c39c45b219cb8399dd4e2ca00a1e21a5457f92fb3c Cerber Ransomware

Note: I got successful pass with Windows 8.1 and Flash 20.0.0.272 as well and Windows 10 build 1511 (feb 2016) via Flash 20.0.0.306 on Internet Explorer 11. Edge seems not being served a landing.

Neutrino:
2016-04-11 - "degraded" as well it seems. (at least didn't got it to work on Flash 21.x)
CVE id by @binjo and Anton Ivanov (Kaspersky)

Neutrino successfully exploit Flash 20.0.0.306 with CVE-2016-1019
2016-04-11

Fiddler :Sent to vt
Out of topic payload: 83de3f72cc44215539a23d1408c140ae325b05f77f2528dbad375e975c18b82e

Reading :
Killing a zero day in the egg : CVE-2016-1019 - 2016-04-07 - Proofpoint
CVE-2016-1019: A new flash exploit included in Magnitude Exploit Kit - 2016-04-07 - Genwei Jiang - FireEye
Zero-Day Attack Discovered in Magnitude Exploit Kit Targeting CVE-2016-1019 in Older Versions of Adobe Flash Player - 2016-04-07 - Peter Pi, Brooks Li and Joseph C. Chen - TrendMicro

↧

Bedep has raised its game vs Bot Zombies

April 14, 2016, 9:33 am

≫ Next: U-Admin (Universal Admin): A Phishing(Web&Android)/Grabber/ATS/Token kit

≪ Previous: CVE-2016-1019 (Flash up to 21.0.0.182/187) and Exploit Kits

Simulacra & Simulation - Jean Baudrillard

Featured in Matrix

Bedep could be described as a fileless loader with a resident module that can optionally perform AdFraud. It's intimate to Angler EK and appeared around August 2014.

On the 2016-03-24 I noticed several move in Bedep.

Angler infecting a VM and integrating it into an instance of Bedep botnet
2016-03-24

No more variable in the URI (as several month before), the protocol Key changed and in most of my manual checks, all threads were sending a strange payload in the first stream.

2ko size for Win7 64bits :

80eb8a6aba5e6e70fb6c4032242e9ae82ce305d656b4ed8b629b24e1df0aef9a

Popup shown by the first payload from Bedep Stream - Win7
(in the background Angler Landing)

48ko size for WinXP 32bits:

a0fe4139133ddb62e6db8608696ecdaf5ea6ca79b5e049371a93a83cbcc8e780

Popup shown by the first payload from Bedep Stream - WinXP

Looking at my traffic I thought for some time that one of the Bedep instances was split in two.

Then I understood that I got different result on my "manually" driven VM (on VMWare ESXi) and my automated Cuckoo driven one ( on VirtualBox). I suspected it was related to hardening, as this is one of the main difference between those two systems.

And I got confirmation. Here is an example on a GooNky ([1][2][3]) malvertising traffic in Australia :

A VM not hardened enough against Bedep got redirected to a "decoy" instance of Bedep that i will refer as :
Bedep "Robot Town" - 2016-04-12

Now look what i get instead with a VM that is not spotted as is:

Same Angler thread - VM not detected. 1st Stream get Vawtrak
2016-04-12

( Vawtrak in that stream d24674f2f9879ee9cec3eeb49185d4ea6bf555d150b4e840407051192eda1d61)

I am not skilled enough to give you the list of checks Bedep is doing. But here is one of them spotted by Cuckoo :

Bedep doing some ACPI checks

I think there are multiple level of checks. Some resulting in Bedep not trying to contact the C&C, some where the positive check end up with a different seed for the Bedep DGA redirecting spotted machines in a dedicated instance.

This is quite powerful :

- the checks are made without dropping an executable.

- if you don't know what to expect it's quite difficult to figure out that you have been trapped

- there is a lot of things that operators can do with this list of known bots and initial Bedep thread ID.

One of them is for instance knowing which of the infection path are researcher/bots "highway" :

Illustration for Bedep "Robot Town" from an "infection path" focused point of view

This could be just a move to perform different tasks (AdFraud only (?) ) on VMs, but my guess it that this Bedep evolution on 2016-03-24 is a fast reaction to this Proofpoint Blog from 2016-03-18 which show how Bedep threads are additional connectable dots.

Sharing publicly is often a difficult decision. The question is which side will benefits the most from it, in the long time.

For researchers:

In the last 3 weeks, if your VM have communicated with :

95.211.205.228 (which is a Bedep ip from end of 2015 reused) or 85.25.41.95

( http.uri.path in "ads.php?sid=1901" ) and you are interested by the "real payload" then you might want to give PAfish a run.

Sad little robot from "Robots" movie

On the other hand, any of your VM which has communicated with 104.193.252.245 (Bedep "standard" 18xx 19xx instance) since the 24 of March is hardened enough to grab the real payload.

Acknowledgements :

Thanks Will Metcalf and Malc0de for the discussions and help on this topic

I'm sorry, but I must do it...Greetings to Angler and Bedep guys. ;) You are keeping us busy...and awake !

Reading :

Video Malvertising Bringing New Risks to High-Profile Sites - 2016-03-18 - Proofpoint

Bedep’s DGA: Trading Foreign Exchange for Malware Domains - 2015-04-21 - Dennis Scharz - ArborSert

Angler EK : now capable of "fileless" infection (memory malware) - 2014-08-30

Modifying VirtualBox settings for malware analysis - 2012-08-23 - Mikael Keri

↧

U-Admin (Universal Admin): A Phishing(Web&Android)/Grabber/ATS/Token kit

May 15, 2016, 4:09 am

≫ Next: CVE-2016-4117 (Flash up to 21.0.0.213) and Exploit Kits

≪ Previous: Bedep has raised its game vs Bot Zombies

Fallout Vault Boy mask

The goal of the post is to open-source data on a kit that has been seen live impersonating bank portal. This is mostly Raw data, few part only will be "google translated".

On September 2015 the 16th, an advert about a multipurpose kit appeared underground :
------------------------------------------
By: [Redacted]
Subject : Инжекты | Админки | Фейки, -50% от рыночных цен -

Доброе время суток всем.

Рад предоставить свои услуги по разработке следующих проектов:

Инжекты;
Grabers 80-150$*;
Pasive ATS 500-800$*;
Active ATS 800-1500$*;
Tooken Panels 400-800$*;
Replacers 200-400$*;
И многое другое...

Фейки;
Простые клоны 70-150$*;
Продвинутые с перехватом 200-500$*;

Админки на пхп;
Под любые нужды ...

*данные цены служат ориентиром. Реальная цена будет зависеть от каждого техзадания индивидуально

Jabber( [Redacted]@exploit.im )
ICQ( 6[Redacted]8 )
------------------------------------------
Google Translated as :
------------------------------------------
By: [Redacted]
Subject: Inject | admin area | Fakes, -50% of the market price -

Good time of day to all.

I am glad to provide services for the development of the following projects:

Inject;
Grabers 80-150 $ *;
Pasive ATS 500-800 $ *;
Active ATS 800-1500 $ *;
Tooken Panels 400-800 $ *;
Replacers 200-400 $ *;
And much more...

fakes;
Simple clones 70-150 $ *;
Advanced interception $ 200-500 *;

Admin Center on php;
Under any needs ...

* These prices are a guide. The actual price will depend on each individual ToRs

Jabber ([Redacted] @ exploit.im)
ICQ (6[Redacted]8)

------------------------------------------
NB : The Subject became later :
--
Инжекты | Админки | Фейки | Android Инжекты, -50% от рыночных цен -
-
Inject | admin area | fakes | Inject Android, 50% of the market price -
--
Seller later added :

------------------------------------------
Последее время очень мнoго вопросов по поводу как работает перехват на скам странице. Решил детально описать процес чтобы изначально не вводить клиентов в заблуждение.

В самом начале надо понять что такое "СКАМ СТАНИЦА".
"СКАМ СТРАНИЦА"- это копия реальной странички логина в банк ,которая находится на нашем сервере с похожем на банк доменом. Все детали вводимые на ней будут лететь к нам.
Далее уже на выбор, или дание идут на емайл, или на специально сделанную админку.
Тоесть суть замута такова:
жертва попадает на нашу страницу ->
вводит данные->
потом наша страница кидает жертву обратно на оригинал ->
и мы поже ипользуем данные сами чтобы войти..

| Это самый примитивный пример , на самом деле все чуток сложнее и зависит от фантазии заказа .

Дальше надо понять что такое "ПЕРЕХВАТ".
"ПЕРЕХВАТ" - eто вид обмана, очень часто ипользуетса в инжектах. Само название говорит за себя.
Инжект перехватывает дание в рельном времени и присылает нам . В это время жертва как обычно ждет с гиф на экране,а вы заходите вместо него.

| Зачем это надо?
Затем что если для перевода вам требуется дополнительно второй пароль/смс/тукен то можно это запросить ,пока жертва ждёт, через специально сделанные команды в админке.
Основной бенефит что это можно делать повторно ,много раз.

|
| Перехват на скам страничке работать точно также . Жертвa вводить дание и ждет пока мы его спросим то что нам надо.
|
Поэтапно:

Преставим себе что есть банк где на вход надо UserName и Password . На активацию перевода по IBAN надо нoмер с тукен-прибора (Pin1) и для переводa надо ввести номер в тукен-прибор и тукен-прибор даст нам номер обратно (Pin2)
Теперь преставим себе что у нас есть скам странница на этот банк , которая будет отсылать нам получение даные для входа и потом покажет заставку жертве с просьбой подождать.

Мы находимся на другом конце в админке и наблюдаем такую катину .

Краткое пособие по админке.

"I'am Online"- показывает находится ли оператор в админке , если "Off-line"то все жертвы будут перенаправлены обратно на оригинал страницу.

Колонка "Keys"это есть полученные детали для входа.
Колонка "Pin"это для получених тукенов/пинов .
Колонка "Task"для добавленья операции по запросу тукена/пинов .
Колонка "Redirect"показывает релле редиректа конкретной жертвы . Если поставить "On"то жертва будет перенапрвлена на оригинал сразу.

| *Если жертва мегает красним то это значит что жертва какраз ждет от вас комаду

И так , на даном этапе у нас есть логины для входа , и ждущий человвек на нашей странице .
Входим, идем на активацию IBAN . Там нас спрашивает Pin1/Tooken1 .
Мы идем обратно на админку и нажимаем запрос операции. У нас откроется окно с выбором операций .

Нажимаем на "ask Pin1"и жертва видит вот это:

Дальше все просто. Жертва вводить "pin1"и он приходит к нам на админку . А жертва в это время снова видит пред собой заставку "подождите" .
Если пин подошол, идем на перевод и такимже способом просим "pin2". Важно понимать что это все можно повторять много раз и после неверного пина можно снова его запросить .

Если залив ушол , ставим "Redirect"на "On"и юсер уходит на оригинал. Или в продвинутых системах можно показать ему техроботы и попросить зайти попоже.

Вот и все!

**Все тексты на английском по админке написаны с ошибками , я это знаю ).Делал очень быстро . Никак не дойдут руки сделать до конца

------------------------------------------
On march 2016 the 9th :
------------------------------------------

доброе время суток всем.

С великой радостью рад предложить свои услуги по разработке инжектов под мобильные устройства для многих публичных андроид ботов .
Цены зависят от тех заданий .
Пример роботы на один из UK линков можно посмотреть тут
[REDACTED]
pass:demo

With great joy, I am pleased to offer its services on developing injects for mobile devices for many public android bots.
The prices depend on those jobs.
An example of one of the injects on the UK link can be found here
[REDACTED]
pass:demo
------------------------------------------
Files mirrored here. (pass: demo)
On march 2016 the 16th:
------------------------------------------
Ladie's and Gentlemen's.
Don't miss out some fresh and well-designed mobile injects for UK.
9 common links.
Hight % success task.

------------------------------------------
On march 2016 the 31st:
------------------------------------------
Доброе время суток всем.
Последним временем много клиентов задают одни и те же вопросы связаны с видео o работе перехвата на Нидерланды.
Я решил более детально описать систему работы и поставить ее где-то в общедоступном месте.
Прежде всего пару строчек хотел бы написать o админ панели. Oна называется Universal Admin. называется она не просто так Универсал,
у нее реализована возможность поддерживать много разных проектов таких как: Tooken intercept,Text manager,Log parser,Drop manager
и многое другое.

[2 images here...not available at dump time]

Не обращайте внимания на разные цвета и стили на Скринах ,стили меняются тоже прямо с админки.

[1 image here...not available at dump time]

Tо есть админ панель одна а плагинов под нее может быть много.Hа видео Вы видели эту админку с плагином Tooken intercept + Text manager.

Text manager-это менеджер текстовых блоков и название кнопок, которые будут автоматически вставляется в вашы страницы,инжекты и
фишинг сраницы.

[1 images here...not available at dump time]

Все что надо сделать для работы это создать текстовый блок с определенным ID ,потом на вашей странице создать элемент с этим же ID и
вставить одну функцию в конец документа.
Для примера: У вас есть инжект в котором есть определенная Легенда запроса дополнительной информации.
Чтобы изменить эту Легенду вам как минимум надо разбираться в HTML и как максимум пересобирать конфигурацию бота.
С помощью текстового менеджера в моей админке все что вам надо это поменять текст в определенном блоке и нажать сохранить.

Tooken intercept-это собственно то о чем мы будем сейчас говорить.
Не важно каким способом Вы стараетесь обмануть жертву (Injec ,phishing page) цель является добытие определенного пакета информации .
Для примера скажем у вас есть Paypal Phishing page с помощью которой вы добывайте username и пароль. эти данные отсылаются куда-то на
админку в нашем случае это Universal Admin.
Username и пароль это и есть тот самый пакет информации который после отправки формы сохраняются у вас ,а кокретно вот тут

[1 image here...not available at dump time]

Использовать эту информацию можно по-разному в зависимости от вашего проекта.
Одним из методов использования этой информации является перехват(intercept) ,то есть использовать информацию в реальном времени прямо сейчас.
Вы перехватили username и пароль и вместо жертвы попадаете на ак ,пока жертва ждет думая что страница грузится.
В случае с PayPal использования перехвата не совсем обязательно, так как полученные пакет информации а именно username и пароль Вы
можете использовать и через неделю. Но в связи с тем что последнее время много контор используют One Time password(Tooken),
которые действительны только 30 секунд, обойтись без Tooken interstep нереально.
Tooken intercept дает вам возможность использовать тот самый пароль(tooken) на протяжении 30 секунд пока жертва ждет загрузки следующей страницы.

Возьмем тот же PayPal. Скажем вы получили только что username и пароль, зашли внутрь, и на главной странице вам выскочила рамочка где
говорится что для подтверждения вашей личности на ваш мобильный телефон был отправлен SMS с коротким кодом(Tooken) код
который надо вести тam же в рамочкe.
Код который был отправлен на мобильный телефон жертвы!!! жертва которая на данный момент находится на вашей странице(Phishing Inject)!!!
там где только что она(жертва) ввела username и пароль, username и пароль те что пришли к вам на админку и те что вы использовали для того
чтобы зайти на тот самый аккаунт где вам выскочила рамочка!!

В стандартных методах это называется запал и етот пакет информации можно выбросить. можно сделать такую же рамочку после логин этапа
для всех юзеров на нашей пишем фишинг или инжекте, но проблема в том что это рамочка показывается не всем и не всегда и если жертве
на телефон ничего не приходило то он туда ничего никогда не ведет.

Я думаю всем понятно что здесь нужна динамическая страница с дистанционным управлением. То есть вы должны принимать решения показывать
рамочку данной жертве или не показывать.

Именно это и есть основа.Страница которая присоединена к нашей админке может меняться исходя из команд которые вы задаете в админке.
Команд может быть много, но для этого в определенном месте в админке для каждой жертвы eсть список команд, которые можно
задать для данной страницы на которой он(жертвa) находится.

[1 image here...not available at dump time]

в нашем примитивном пример из PayPal в списке операции должнa присутствовать кнопка "показать рамочку".
Если вы зашли на аккаунт с только что полученными данными и у вас выкидывает эту рамочку вы нажимаете кнопку "показать рамочку"для данной жертвой.
И у нее на экране покажет такую же рамочку.
Tooken, который будет введён в эту рамочку прилетит к вам на админ туда же где лежат username и пароль от этой жертвы.
Думаю здесь все понятно.
Единственное что хотел бы подчеркнуть то что жертва в любой момент может закрыть страницу закрыть компьютер вырубить сеть.
В таком случае связь страницы с админкой теряется и задавать команды для данной страницы не имеет смысла.
Для этого в нашей админке есть Tracker онлайн статуса который позволяет нам следить находится ли жертва онлайн или нет.

[1 image here...not available at dump time]

Теперь структура Tooken intercept админки.
Первая страница это главная страница где показана текучка всех посетителей(жертв) ваших инжектов и фишингов.
Напротив каждого посетителя есть кнопка O-Panel при нажатии на которую вы попадаете уже на индивидуальную панель операций для данного посетителя.

[1 image here...not available at dump time]

Именно здесь и находится список операций.
Именно здесь крупным планом видно онлайн статус. Прошу заметить что онлайн статусов бывает 3(ONLINE, OFFLINE и WAITING).
WAITING статус светится красным и светится только тогда когда жертва ждет операции от вас ,то есть только что вам был отправлен
пакет информации и страница ждет дальнейших инструкций!.

[1 image here...not available at dump time]

Также жертва с этим статусом мигает красным и на главной странице что поднимает их в таблице вверх.

Окей давайте теперь возьмем реальный пример Phishing страницы скажем одного из нидерландских банков. тут реализованные как PC
так и мобильная версия.

[1 image here...not available at dump time]

Вы делаете рассылку на email и линки могут открываться на мобильном. в основном 50% так и происходит.
Скажем кто-то(жертвa) переходит на Линк в вашем email и попадает на нашу страницу. Вы об этом узнаете сразу через Jabber Alert,
в котором будет говориться про нового посетителя.
Самое время открыть Universal панель. там вы увидите Новую колонку с информацией про посетителя а Конкретно его айпи ширина
экрана и многое другое
[1 image here...not available at dump time]

с минуты на минуту к нам прилетят логины, их можно ждать как на главной так и на O-Panel.

после того как Вы получили логины, Посетитель уходит в режим ожидания. об этом Вам будут говорить красные мигающие панели,
она экранe у жертвы будет примерно такое
[1 image here...not available at dump time]
Что делать вам с полученным пакетом Логинов Решать только Вам. Но если у вас, находясь внутри в аккаунте, попросят ввести
tooken, пароль, SMS пароль то самое время вернуться на O-Panel и нажать соответствующую команду.
Команда которая приведет к тому что страница на которой находится жертва покажет ему запрос того что вам надо.

[1 image here...not available at dump time]

После того как жертва ввела в форму Tooken ,она снова уходит в режим ожидания, и Вы снова должны определиться что делать и
какую команду ему дать. И так до бесконечности или пока жертва не Закроет страницу. Но если все-таки это надоест вам то у вас
есть два варианта распрощаться жертвой.

это поставить блок
[1 image here...not available at dump time]

или перенаправить его на оригинал страницу.

[1 image here...not available at dump time]

При работе с одним посетителем могут стучать другие новые.
Это будет отвлекать и все новые посетители будут ждать. чтобы этого избежать на главной странице есть ричашки которые контролируют
регистрацию новых посетителей и переадресацию старых поголовно.

Если поставить регистрацию OFF ,то в админке только будут работать Те кто уже Там есть, все новые будут попадать на оригинал страницы контор.
A если поставить редирект всех ,то все посетители(жертвы) кто есть в админке будут перенаправлены на свои оригинальные страницы поголовно.
Это надо делать когда вы собрались к примеру уходить.
------------------------------------------
On april 2016 the 4th:
------------------------------------------
увжаемые друзья

новые инжекты под Андроид

------------------------------------------
On april 2016 the 11th:
------------------------------------------
Продается Пак инжектов под андроид для сбора карт.

WhatsUp
Facebook
Instagram
Viber
Skayp
GooglePlay

Price:450$

user posted image

Обезательно посмотрите видео. В инжектах реализованы Responsive & animations приемы.
[Redacted]
pass:1qaz

------------------------------------------

File mirrored here (pass : 1qaz)

On april 2016 the 12th:

------------------------------------------

Pack of Injects for Columbia banks for sale.

Credit cards colectors with admin panel on https domen.

bancofalabella

rbmcolombia

colpatria

bancolombia

bbvanet

bancodeoccidente

bancodebogota

bancopichincha

Price:800$

[3 images here...not available at dump time]

Video: [Redacted]

Pass:columbia

------------------------------------------

File mirrored here (pass: columbia)

On april 2016 the 14th:

------------------------------------------

Pack of Injects for Canada banks for sale.

Credit cards colectors with admin panel on https domen.

Cibc

Bmo

Desj

Rbc

Price:500$

[3 images here...not available at dump time]

Video: [Redacted]

Pass:canada

------------------------------------------

File mirrored here (pass: canada)

On april 2016 the 18th:

------------------------------------------

Недавно вышел апдейт на U-admin(Universal Admin).

Теперь все более соответствует написанному выше описанием.

Админ панель теперь имеют специальную директорию под plugins, и все плагины в этой директории автоматически прописывается в админке.

[1 image here...not available at dump time]

Например, вы приобрели U-admin а потом "Log parser Plugin". Для этого вам просто надо поставить папку Log parser в плагин директорию в админке.

Также был разработан VNC плагин который дает возможность коннектится к вашему botnet API с запросом на соединение по VNC/SOCKS для определенного бота.

Этот плагин является дополнением к "Tooken Intercept"плагина про который я писал вам выше. Если вы используете "Tooken Intercept"с инжектором

и в вашем боте есть в VNC, и в админке вашего Бота есть API управление VNC то при наличии VLC plugin в U-admin возможно сделать запрос на соединение по vnc или socks с ботом.

Как правило это делается автоматически при самом первом соединение с инжектоm,то есть когда жертва заходит на страницу перехвата.

В связи с этим была слегка переделана O-Panel где в команды была добавлена новая опция проверки статуса VNC/SOCKS соединение.

[1 image here...not available at dump time]

Куда ,как вы видите, при успешном соединении выводятся данные на VNC/SOCKS

------------------------------------------

Note: If you are interested by the [Redacted] part please send a mail

↧

CVE-2016-4117 (Flash up to 21.0.0.213) and Exploit Kits

May 21, 2016, 6:24 am

≫ Next: Is it the End of Angler ?

≪ Previous: U-Admin (Universal Admin): A Phishing(Web&Android)/Grabber/ATS/Token kit

Discovered being exploited in the wild by FireEye [1] on May 8, 2016, patched 4 days later with Flash 21.0.0.242, CVE-2016-4117 is making its way to Exploit Kits.

Magnitude :
CVE confirmed by FireEye - Thanks !
On 2016-05-21 Magnitude is firing an exploit to Flash up to 21.0.0.213.

Magnitude firing exploit to Flash 21.0.0.213 - 2016-05-21

For now i did not get exploitation in the different pass i tried but in the Flash exploit we can see some quite explicit imports :

import com.adobe.tvsdk.mediacore.timeline.operations.DeleteRangeTimelineOperation;

Magnitude Flash Exploit showing import of the DeleteRangeTimelineOperation

Spotted sample : f5cea58952ff30e9bd2a935f5843d15952b4cf85cdd1ad5d01c8de2000c48b0a

Fiddler sent here.

Updates to come as it appears to be a work in progress.

Neutrino :
2016-05-23
Spotted by Eset.

2016-05-23 Neutrino successfully exploit CVE-2016-4117 on Flash 21.0.0.213 and drop here CryptXXX

Sample in that pass : 30984accbf40f0920675f6ba0b6daf2a3b6d32c751fd6d673bddead2413170e8
Fiddler sent here Password is malware
Out of topic payload: 110891e2b7b992e238d4afbaa31e165a6e9c25de2aed442574d3993734fb5220 CryptXXX

Angler EK:
2016-05-23
CVE identification by Henri Nurmi from F-Secure. Thanks !

Angler EK successfully exploit Flash 21.0.0.213 on 2016-05-23 dropping Dridex

Sample in that pass : 310528e97a26f3fee05baea69230f8b619481ac53c2325da90345ae7713dcee2
Fiddler sent here
Out of topic payload : 99a6f5674b738591588416390f22dedd8dac9cf5aa14d0959208b0087b718902
Most likely Dridex 123 targeting Germany based on distribution path.

Read More:
[1] CVE-2016-4117: Flash Zero-Day Exploited in the Wild - 2016-05-13 - Genwei Jiang - FireEye
[2] New Flash Vulnerability CVE-2016-4117 Shares Similarities With Older Pawn Storm Exploit - 2016-05-13 - Moony Li - TrendMicro

↧

Is it the End of Angler ?

June 11, 2016, 2:55 am

≫ Next: CVE-2016-0189 (Internet Explorer) and Exploit Kit

≪ Previous: CVE-2016-4117 (Flash up to 21.0.0.213) and Exploit Kits

Everyone looking at the DriveBy landscape is seeing the same : as Nuclear disappeared around April 30th, Angler EK has totally vanished on June 7th. We were first thinking about Vacation as in January 2016 or maybe Infrastructure move. But something else is going on.

---
On the Week-End of the 4-5th of June I noticed that the ongoing malvertising from SadClowns was redirecting to Neutrino Exploit Kit (dropping Cerber)

EngageBDR malvertising redirecting to SadClowns infra pushing traffic to Neutrino to Drop Cerber Ransomware

On the 6th I noticed several group migrating to RIG, Neutrino or even Sundown.
But I got speechless when I noticed that GooNky had switched to Neutrino to spread their CryptXXX U000001 and U000006.
They were sticking exclusively to Angler EK since years and their vacation were synchronized with Angler's in January.

Checking all known to me infection path I could hardly find some Angler....last one were behind the EItest infection chain on the night of the 6th to 7th of June.

Last Angler pass I captured on 2016-06-07
EITest into Angler dropping CryptXXX 3.200 U000017

On June 7th around 5:30 AM GMT my tracker recorded its last Angler hit :

Last Hit in my Angler tracker.

After that...RIG, Neutrino instead of Angler almost everywhere.[Side note: Magnitude is still around...But as mentioned earlier it's a One Actor operation since some time]
Aside SadClowns and GooNky here are two other big (cf traffic volume) group which transition has not been covered already

"WordsJS" (named NTL/NTLR by RiskIQ) into Neutrino > CryptXXX U000010
2016-06-10

"ScriptJS" (Named DoublePar by RiskIQ and AfraidGate by PaloAlto) into Neutrino > CryptXXX U000011

This gang was historically dropping Necurs, then Locky Affid13 before going to CryptXXX

Illustrating with a picture of words and some arrows:

MISP : select documented EK pass with associated tags.
1 arrow where you would have find Angler several days before.
(+ SadClowns + GooNky not featured in that selection)

With the recent 50 arrests tied to Lurk in mind and knowing the infection vector for Lurk was the "Indexm" variant of Angler between 2012 and beginning of 2016...we might think there is a connection and that some actors are stepping back.

Another hint that this is probably not vacation "only" for Angler is that Neutrino changed its conditions on June 9th. From 880$ per week on shared server and 3.5k$ per month on dedicated, Neutrino doubled the price to 7k$ on dedicated only (no more per week work). Such move were seen in reaction to Blackhole's coder (Paunch) arrest in October 2013.

So is this the End of Angler ? The pages to be written will tell us.

“If a book is well written, I always find it too short.”
― Jane Austen, Sense and Sensibility

Post publication notes:

[2016-06-12]
RIG : mentioned they were sill alive and would not change their Price.
Maybe unrelated to RIG mention, Neutrino updated his thread as announced previously on underground but conditions are revisited :

------Google translate:-----

Tarif week on a shared server:

Rent: $ 1500

Limit: 100k hosts per day

One-time daily discharge limits: $ 200

Rate per month on a dedicated server:

Rent: $ 4000

Limits: 500k hosts per day, and more - on an individual basis.

One-time daily discharge limits: $ 200

----------------

So now only price per week is doubled and month rate + ~20%

[2016-06-13]

Our exploit kit stats for the last two weeks… Angler dives, Neutrino soars. pic.twitter.com/RcYAH6tVck
— News from the Lab (@FSLabs) June 13, 2016

Acknowledgement:
Thanks to Will Metcalf (Emerging Threats/Proofpoint) who made the replay of SadClowns' malvertising possible. Thanks to EKWatcher and Malc0de for their help on several points.

Read More :
XXX is Angler EK - 2015-12-21
Russian hacker gang arrested over $25m theft - 2016-06-02 - BBC News
Neutrino EK and CryptXXX - 2016-06-08 - ISCSans
Lurk Banker Trojan: Exclusively for Russia - 2016-06-10 - Securelist - Kaspersky

↧

CVE-2016-0189 (Internet Explorer) and Exploit Kit

July 14, 2016, 2:59 pm

≫ Next: Fox stealer: another Pony Fork

≪ Previous: Is it the End of Angler ?

Spotted by Symantec in the wild patched with MS16-051 in may 2016, CVE-2016-0189 is now being integrated in Exploit Kit.

Neutrino Exploit Kit :

Here 2016-07-13 but i am being told that i am late to the party.

It's already [CN] documented here

Neutrino after ScriptJS redirector dropping Locky Affid 13- 2016-07-13

Flash sample in that pass : 85b707cf63abc0f8cfe027153031e853fe452ed02034b792323eecd3bc0f7fd
(Out of topic payload : 300a51b8f6ad362b3e32a5d6afd2759a910f1b6608a5565ddee0cad4e249ce18 - Locky Affid 13 )

Thanks to Malc0de for invaluable help here :)

Files Here:Neutrino_CVE-2016-0189_160714 (Password is malware - VT Link)

Edits :
2016-07-15 a previous version was stating CVE-2015-5122 for nw23. Fixed thanks to @dnpushme

Read More :

[CN] NeutrinoEK来袭：爱拍网遭敲诈者病毒挂马 2016-07-14 - Qihoo360

Patch Analysis of CVE-2016-0189 - 2016-06-22 - Theori

Internet Explorer zero-day exploit used in targeted attacks in South Korea - 2016-05-10 - Symantec

Neutrino EK: fingerprinting in a Flash - 2016-06-28 - Malwarebytes

Post publication Reading :
Exploit Kits Quickly Adopt Exploit Thanks to Open Source Release - 2016-07-14 - FireEye

↧