As spotted by FireEye on 2015-04-17, Angler EK is now taking advantage of a vulnerability patched with the last version of Flash Player ( 17.0.0.169 )
Angler EK :
2015-04-17
 |
| Angler EK successfully exploiting CVE-2015-0359 2015-04-24 |
Fiddler sent to VT
"Standalone" Neutrino-ish :
2015-04-27
Thanks to Malwarebytes Anti-Exploit team for referer
Thanks to Timo Hirvonen for CVE identification
 |
Same CVE as Angler used in "Standalone" mode - 2015-04-27 IE11 - Win7 Flash 17.0.0.134 |
Traffic source : adxpansion on porn website
Sample (Viagra/Cialis badvert) : c14c1130796167bbe0172dda86adec4ff3dcc34a81451f285795b81c2abd4983
Fiddler : sent on VT
This drop a js in %temp% or %temp%\low that do the rc4 and call
 | |
wscript executing the js in another case Badvert : 403cba4b81d235b5b53912c4b68995c7 (you can see the RC4 key used) |
http://pastebin.com/raw.php?i=6qdTEBnj
Note the 6 minutes sleep :)
Dropped malware : You can get them here.
Tofsee maybe : a29acacfc2b5e44cdbfb769ce9cf9ccf
Trapwot fake av (defender pro 2015) : 37cd5cb1ebabcb921fe20341c2a63fc4
Undefined : 2e297279f7d919e4e67464af91fb6516
 |
| Drops in %temp% |
One more :
 |
| Neutrino-ish malvert 2015-04-30 cf : https://twitter.com/BelchSpeak/status/593803410207612928 Fiddler sent to VT (password : malware) |
Those drop were so "Neutrino-ish" that i decided to take a look at neutrino in same conditions and guess what :
Neutrino :
2015-04-27
Thanks to Timo Hirvonen for CVE identification
 |
Same CVE as Angler used in "Standalone" mode - 2015-04-27 IE11 - Win7 Flash 17.0.0.134 |
Sample : d7a44f7794f8f0ba972c41d30d1e47d3232b32b45292ac9c9c9d8d338814f3d3
Fiddler sent to VT
Nuclear Pack :
2015-04-28
Thanks to TrendMicro for confirming CVE was the same as the one used in Angler EK
 |
Nuclear Pack successfully exploiting Flash 17.0.0.134 inside IE11 on Windows 7 to push Kelihos Loader (suba002) 2015-04-28 |
Sample : 6eca6686bf2450d6251add82f5f5681e6c542575acf350f21efede628c6be6fe
Fiddler sent to VT
RIG :
2015-04-30
Thanks @TimoHirvonen for CVE confirmation.
RIG now
Sample was : a345a866f64fb61e482ead7e3b3979542381b579c6065ffd7e93bc23faefdd4c
Fiddler sent to VT
To those wondering why i do not give direct link to exploit patched less than one month ago, look at these stats shared by a user on underground :
 |
| RIG stats (mostly BR) shared by a user underground |
2015-04-02
 |
Magnitude successfully exploiting CVE-2015-0359 to push Cryptowall and Zemot 2015-05-02 |
Fiddler sent to VT
Fiesta:
2015-05-03
Sample in that pass : a78f2cd9233523141fc29960831947ad9f993e08680f2db10facf2ed93a7e94e
Fiddler sent to VT
Read more :
Latest Flash Exploit in Angler EK Might Not Really Be CVE-2015-0359 - 2015-04-22 - Peter Pi - TrendMicro
Angler EK Exploiting Adobe Flash CVE-2015-0359 with CFG Bypass - 2015-04-18 - Dan Caselden and Sai Omkar Vashisht - FireEye
Fiesta:
2015-05-03
 |
| Logo Courtesy of Fox-IT Fiesta firing CVE-2015-0359 (more like the real one accorting to @TimoHirvonen) 2015-05-03 |
Fiddler sent to VT
Read more :
Latest Flash Exploit in Angler EK Might Not Really Be CVE-2015-0359 - 2015-04-22 - Peter Pi - TrendMicro
Angler EK Exploiting Adobe Flash CVE-2015-0359 with CFG Bypass - 2015-04-18 - Dan Caselden and Sai Omkar Vashisht - FireEye