<this post has been edited multiple time to fix some error, bring some new elements. may still be changed >
My goal was to grab CVE-2014-0556 when i landed yesterday on Fiesta but according to @TimoHirvonen it's CVE-2014-0569 fixed only 1 week ago that has been fired here. It's a really fast integration in Exploit Kit. I've been told it landed in Fiesta after its coder reversed the patch (in 2 days).
So you know what to do : Ensure Flash Player is up to date (15.0.0.189 - for IE10/IE11 user the patch to check is : KB3001237 )
Fiesta :
 |
| CVE-2014-0569 successfull pass in Fiesta EK 2014-10-21 Fiesta Logo Courtesy of FoxIT. |
GET http://rvdcgyisqy.myftp .org/jjcv7antdqqollz6mqusrbwjcu3z1835zzuurupwvyxdsy
200 OK (text/html)
"Relevant section from Fiesta landing page : http://pastebin.com/K4gbQWpS" By Jason in comments
GET http://rvdcgyisqy.myftp .org/cp9ne2q/4f25f1a50659fee801500b0e540a50040053040e5253510e0152060357535850;150000;144
200 OK (application/x-shockwave-flash) 254690dd89055c46f1a60713dbc26965 CVE-2014-0569
200 OK (application/x-shockwave-flash) 254690dd89055c46f1a60713dbc26965 CVE-2014-0569
GET http://rvdcgyisqy.myftp .org/cp9ne2q/55cd3f2a4a3ae27c5645085f015d03500100555f0704025a0001575202040b04;7
200 OK (application/octet-stream) 2b74a966466d612b069161b4fdd0f775 Payload : Ropest (thx @Horgh_rce )
GET http://rvdcgyisqy.myftp
.org/cp9ne2q/55cd3f2a4a3ae27c5645085f015d03500100555f0704025a0001575202040b04;7;1
200 OK (text/html)
[Edit 2014-10-22 : It appears this could be another CVE (0558 or 0564 or something else killed by the last update) than CVE-2014-0569 - Am asking for help in figuring out]
GET http://three.creziontyro .in/qsx0jugfgk
200 OK (text/html) After first pass of deobfuscation http://pastebin.com/tnRKArFz (thx as always to @EKWatcher ) Update coming later maybe.
GET http://three.creziontyro .in/J-XQctybYriag-bOGIcSDh-HchIdpmXKk_M52H6bO6Y7NsJMsSIWWvNTG-R0tdBR
200 OK (application/x-shockwave-flash)d54a6cca8b6b52f6ed47769ba6397444 CVE-2014-xxxx
GET http://three.creziontyro .in/KxYioLx6A_QJguVdGPUpkrc6lJWbIWICBCyS8LR7X3pDLnTugBkW7GVC1vXjAtFj
200 OK (application/octet-stream) Stream containing Shellcode and Bedep.
Target Payload : 831098a9d8db43bebf3d6ee67914888d Kins Variant (Thanks to @maciekkotowicz who wrote about it on Kernelmode)
(Once again...Sorry I do not have enough time yet to study this in details)
GET http://b.kok44 .com/qtzscn6d2vyrp.html
200 OK (text/html)
POST http://b.kok44 .com/nlPPOoTJIWP0MPcC66tPW6E881Kxrk4JpG3zUe7-T16vY_BTuvYfUu118wO64AEI8g..
404 Not Found (text/html)
GET http://b.kok44 .com/qtzscn6d2vyrp.html
200 OK (text/html)
POST http://b.kok44 .com/YYclWjoL_Ppe6BRhUmbCkQ7uSWFZaMeRW-0UZ1I9lZYMvEtmAjeXkRKhGWMEItyRDQ..
200 OK (text/html)
GET http://b.kok44 .com/iajJ15EwZW62x_js-V1bBebBpezyU14Fs8L46vkGDALkk6frqQwOBfqO9eysGUUF5Q..
200 OK (application/x-shockwave-flash) 99a8b37fcd995f859e2b7e22ce8fe72b CVE-2014-05xx ??
GET http://b.kok44 .com/pYU3o8dIJ8ma6gaYryUZosrsW5ikKxyin-8Gnq9-TqXIvlmf_3RMotajC5j1YQeiyQ.. After deobfuscation ; 3ef89107362630d2ad56e7bef5a717fc Miuref AdFraud (cf form. Partnerka.me)
200 OK (application/octet-stream)
A pass with Firefox and flash 15.0.0.152 seems to confirm that. CVE-2014-0569 confirmed by Kaspersky. Simon Choi told me he also got a successful pass with IE 11 / flash 15.0.0.167 on Windows 8.
![]()
GET http://pirat.svanager.wielun .pl:8080/elements/film.php?london=274412&desktop=209908&advocacy=17&bloggers=22666&free=56481&articles=178642&other=287691
200 OK (text/html)
GET http://pirat.svanager.wielun .pl:8080/elements/xrbolXSHx
200 OK (application/x-shockwave-flash) 6d5591ef4d3ddb1c0b47d52a58e36036
GET http://pirat.svanager.wielun.pl:8080/backup.php?lang=1341&topics=12&voip=505&myguest=1251&math=1377&down=2386&game=2511
200 OK (application/octet-stream) Kovter bc8e0c39cc66da9c2caee65bd3a70882
Files: Soon. After Nuclear Pack integration.
GET http://tinsinarbetrab .eu/xs3884y132186/index.php
200 OK (text/html)
GET http://tinsinarbetrab .eu/xs3884y132186/js/swfobject.js
200 OK (application/javascript)
GET http://tinsinarbetrab .eu/xs3884y132186/banner.swf
200 OK (application/x-shockwave-flash) Filtering advert 8124c71afe59779e181c52857f990103
![]()
POST http://tinsinarbetrab .eu/xs3884y132186/gate.php
200 OK (text/html)
GET http://tinsinarbetrab .eu/xs3884y132186/Main.swf
200 OK (application/x-shockwave-flash)93bd68ff7112244d19030d360e9b2108 CVE-2014-0569 identified by Timo Hirvonen
GET http://tinsinarbetrab .eu/xs3884y132186/lofla1.php
200 OK (application/octet-stream) Necurs 96f0f62f798987fb0dd3427182775ef7
Files: Soon.
200 OK (text/html)
Files : Nothing Yet.
Fiddler sent to VT here : 9bb6292633f4eccd54aeb23ad3555507
Angler EK :
[Edit 2014-10-22 : It appears this could be another CVE (0558 or 0564 or something else killed by the last update) than CVE-2014-0569 - Am asking for help in figuring out]
 |
| CVE-2014-0569 (?) fired by Angler EK - 2014-10-21 Followed by Bedep activity and a Zeus Variant |
200 OK (text/html) After first pass of deobfuscation http://pastebin.com/tnRKArFz (thx as always to @EKWatcher ) Update coming later maybe.
GET http://three.creziontyro .in/J-XQctybYriag-bOGIcSDh-HchIdpmXKk_M52H6bO6Y7NsJMsSIWWvNTG-R0tdBR
200 OK (application/x-shockwave-flash)d54a6cca8b6b52f6ed47769ba6397444 CVE-2014-xxxx
200 OK (application/octet-stream) Stream containing Shellcode and Bedep.
Target Payload : 831098a9d8db43bebf3d6ee67914888d Kins Variant (Thanks to @maciekkotowicz who wrote about it on Kernelmode)
Files: Nothing Yet.
Fiddler sent to VT here : 6c0cd2dae5c43f92d86411977bb28b08
Astrum EK:
So Astrum is owning Flash 15.0.0.152. It seems the same undefined CVE (fixed 10 days ago by the last Flash Player patch ) in Angler EK is being used here as well. |
| Astrum EK exploiting Flash 15.0.0.152 to push Miuref AdFraud 2014-10-24 |
(Once again...Sorry I do not have enough time yet to study this in details)
GET http://b.kok44 .com/qtzscn6d2vyrp.html
200 OK (text/html)
POST http://b.kok44 .com/nlPPOoTJIWP0MPcC66tPW6E881Kxrk4JpG3zUe7-T16vY_BTuvYfUu118wO64AEI8g..
404 Not Found (text/html)
GET http://b.kok44 .com/qtzscn6d2vyrp.html
200 OK (text/html)
POST http://b.kok44 .com/YYclWjoL_Ppe6BRhUmbCkQ7uSWFZaMeRW-0UZ1I9lZYMvEtmAjeXkRKhGWMEItyRDQ..
200 OK (text/html)
GET http://b.kok44 .com/iajJ15EwZW62x_js-V1bBebBpezyU14Fs8L46vkGDALkk6frqQwOBfqO9eysGUUF5Q..
200 OK (application/x-shockwave-flash) 99a8b37fcd995f859e2b7e22ce8fe72b CVE-2014-05xx ??
GET http://b.kok44 .com/pYU3o8dIJ8ma6gaYryUZosrsW5ikKxyin-8Gnq9-TqXIvlmf_3RMotajC5j1YQeiyQ.. After deobfuscation ; 3ef89107362630d2ad56e7bef5a717fc Miuref AdFraud (cf form. Partnerka.me)
200 OK (application/octet-stream)
Files: Nothing Yet.
Fiddler sent to VT here : 5e9abc8ef40bb98afb00e40f12958919
Sweet Orange :
@kafeine Sweet Orange EK also uses the CVE-2014-0569.
— Simon Choi (@issuemakerslab) October 28, 2014A pass with Firefox and flash 15.0.0.152 seems to confirm that. CVE-2014-0569 confirmed by Kaspersky. Simon Choi told me he also got a successful pass with IE 11 / flash 15.0.0.167 on Windows 8.
GET http://pirat.svanager.wielun .pl:8080/elements/film.php?london=274412&desktop=209908&advocacy=17&bloggers=22666&free=56481&articles=178642&other=287691
200 OK (text/html)
GET http://pirat.svanager.wielun .pl:8080/elements/xrbolXSHx
200 OK (application/x-shockwave-flash) 6d5591ef4d3ddb1c0b47d52a58e36036
GET http://pirat.svanager.wielun.pl:8080/backup.php?lang=1341&topics=12&voip=505&myguest=1251&math=1377&down=2386&game=2511
200 OK (application/octet-stream) Kovter bc8e0c39cc66da9c2caee65bd3a70882
Files: Soon. After Nuclear Pack integration.
Flash EK :
 |
| CVE-2014-0569 fired by a "full" Flash EK on 2014-10-28 |
200 OK (text/html)
GET http://tinsinarbetrab .eu/xs3884y132186/js/swfobject.js
200 OK (application/javascript)
GET http://tinsinarbetrab .eu/xs3884y132186/banner.swf
200 OK (application/x-shockwave-flash) Filtering advert 8124c71afe59779e181c52857f990103
POST http://tinsinarbetrab .eu/xs3884y132186/gate.php
200 OK (text/html)
GET http://tinsinarbetrab .eu/xs3884y132186/Main.swf
200 OK (application/x-shockwave-flash)93bd68ff7112244d19030d360e9b2108 CVE-2014-0569 identified by Timo Hirvonen
GET http://tinsinarbetrab .eu/xs3884y132186/lofla1.php
200 OK (application/octet-stream) Necurs 96f0f62f798987fb0dd3427182775ef7