Fast post that I will heavily edit later with details and other integration (if some).
Angler EK is not a Reveton dedicated EK anymore. After being adopted by the "ru:8080" team,
Cridex/Bugat not dead. Here pushed by ru:8080 in.... Angler EK (was Magnitude 29 before that and Blackhole /news/) pic.twitter.com/Z8cvZneOQ7
— kafeine (@kafeine) December 17, 2013 I spotted another customer few days ago (will update with Screenshots and information on payloads)Studying it I found that Angler EK has integrated a new Flash Exploit.
<edit1 2013-12-25>
Thanks Arseny Levin from SpiderLabs for defining the correct CVE, Chris Wakelin for decoding the RC4ed SWF and Will Metcalf from Emerging Threats for additional inputs
I can now update the post with CVE-2013-5329.
More technical data to come later
One question...How did they get that code...
I guess 450k$ budget for exploits helps.
</edit1>
Angler EK: CVE-2013-5329 on Flash 11.9.900.117:
 |
| Flash 11.9.900.117 successfully exploited by CVE-2013-5329 in Angler EK 2013-12-24 |
GET http://gpnmdatestamped.beachsidebridesblog.ca/qldamegim7
200 OK (text/html)
GET http://gpnmdatestamped.beachsidebridesblog.ca/4qldamegim7sek
200 OK (text/html)
GET http://gpnmdatestamped.beachsidebridesblog.ca/3qldamegim7sek
200 OK (application/octet-stream) 9abb9b3736531370a07d2b5e3344bc5b
In some pass you may also get this :
GET http://gpnmdatestamped.beachsidebridesblog .ca/counter.php?v=win%2011%2C9%2C900%2C117&t=activex&o=windows%20xp
404 Not Found (text/html)
Raw :
GET http://hydrolyz-gewaehlte.beachsidebridesblog.com/counter.php?v=win%2011%2C9%2C900%2C117&t=activex&o=windows%20xp HTTP/1.1
Accept: */*
Accept-Language: en-US
x-flash-version: 11,9,900,117
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: hydrolyz-gewaehlte.beachsidebridesblog.com
Connection: Keep-Alive
Files :2 flash. 1 fiddler (Owncloud via Goo.gl)