And here we are : first CVE-2014-xxxx exploited in blind mass attack. (I was expecting the 0322 but maybe not that easy to implement)
As spotted by EKWatcher , Angler EK is introducing today a new Flash Exploit : CVE-2014-0497 identified by Timo Hirvonen from F-Secure. This vulnerability has been found exploited in targeted attack by Kaspersky and patched 22 days ago.
That exploit is more efficient than those previously found.
The samples covered by Microsoft and Kaspersky were not working properly on Flash 12.x
But it looks like the coder of that exploit found a way to bypass the mitigation preventing the execution on branch 12.x.
Angler EK : 2014-02-26
 |
| CVE-2014-0497 successful pass in Angler EK from ru8080 team : 2014-02-26 (note : Logo and name for Angler are not "official" one) |
GET http://phisoomythyxiboow .ru:8080/nf21cea1mg
200 OK (text/html)
 |
| Part of the landing after deofuscation work (credits again to EKWatcher) giving hints on which CVE to expect. |
200 OK (text/html) 2a2136743be5be61b4e929b62a7a06ea CVE-2014-0497
 |
| Flash Exploit Opened in FFDec Piece of code showing calls that does not looks really "Anglerish". Remains of debugging ? |
GET http://phisoomythyxiboow .ru:8080/EVUjxyPGW5p_MsLcWq12Y5HwY0gkVHSUamvyuIIBd4efHGTf
200 OK (application/octet-stream) Once decoded : 664e4383fcfe183edc04247f4d018e11 (GameOver Zeus - I'll write about that specific sample really soon)
Side notes :
- It's not just a XOR-ed Payload. As Bryan Burns figured out, one byte is modified.
 |
| XOR pass is not enough to get the Actual Payload. |
 |
| It seems the Modified data is always the Size Of Optional Header |
- This CVE is not being served for now in "Reveton" Angler EK instances despite landing is showing the upgrade.
 |
| Same VM, few minutes between the two pass. Guess who is the VIP.... |
Files: Fiddler/sample (Owncloud via goo.gl)
Read more :
CVE-2014-0497 – a 0-day vulnerability - Vyacheslav Zakorzhevsky - Kaspersky - 2014-02-05
A journey to CVE-2014-0497 exploit - Chun Feng - MMPC - 2014-02-17