Quantcast
Viewing all articles
Browse latest Browse all 185

CVE-2015-0359 (Flash up to 17.0.0.134) and Exploit Kits


As spotted by FireEye on 2015-04-17, Angler EK is now taking advantage of a vulnerability patched with the last version of Flash Player ( 17.0.0.169 )

Angler EK :
2015-04-17

Image may be NSFW.
Clik here to view.
Angler EK successfully exploiting CVE-2015-0359
2015-04-24
Flash Sample from this pass : ff7685252e2a353b10543df90214f1a948a554947323b07078c18e9f6a810373
Fiddler sent to VT

"Standalone" Neutrino-ish :
2015-04-27
Thanks to Malwarebytes Anti-Exploit team for referer
Thanks to Timo Hirvonen for CVE identification

Image may be NSFW.
Clik here to view.
Same CVE as Angler used in "Standalone" mode - 2015-04-27
IE11 - Win7 Flash 17.0.0.134


Traffic source : adxpansion on porn website
Sample (Viagra/Cialis badvert) : c14c1130796167bbe0172dda86adec4ff3dcc34a81451f285795b81c2abd4983
Fiddler : sent on VT

This drop a js in %temp% or %temp%\low that do the rc4 and call

Image may be NSFW.
Clik here to view.
wscript executing the js  in another case  Badvert : 
403cba4b81d235b5b53912c4b68995c7 (you can see the RC4 key used)



http://pastebin.com/raw.php?i=6qdTEBnj
Note the 6 minutes sleep :)

Dropped malware : You can get them here.
Tofsee maybe : a29acacfc2b5e44cdbfb769ce9cf9ccf
Trapwot fake av (defender pro 2015) : 37cd5cb1ebabcb921fe20341c2a63fc4
Undefined : 2e297279f7d919e4e67464af91fb6516

Image may be NSFW.
Clik here to view.
Drops in %temp%

One more :

Image may be NSFW.
Clik here to view.
Neutrino-ish malvert 2015-04-30
cf :  https://twitter.com/BelchSpeak/status/593803410207612928
Fiddler sent to VT (password : malware)


Those drop were so "Neutrino-ish" that i decided to take a look at neutrino in same conditions and guess what :

Neutrino :
2015-04-27
Thanks to Timo Hirvonen for CVE identification
Image may be NSFW.
Clik here to view.
Same CVE as Angler used in "Standalone" mode - 2015-04-27
IE11 - Win7 Flash 17.0.0.134

Sample : d7a44f7794f8f0ba972c41d30d1e47d3232b32b45292ac9c9c9d8d338814f3d3
Fiddler sent to VT

Nuclear Pack :
2015-04-28
Thanks to TrendMicro for confirming CVE was the same as the one used in Angler EK

Image may be NSFW.
Clik here to view.
Nuclear Pack successfully exploiting Flash 17.0.0.134 inside IE11 on Windows 7
to push Kelihos Loader (suba002)
2015-04-28
NB: some Nuclear Pack instances are still only firing CVE-2015-0335.
Sample : 6eca6686bf2450d6251add82f5f5681e6c542575acf350f21efede628c6be6fe
Fiddler sent to VT

RIG :
2015-04-30
Thanks @TimoHirvonen for CVE confirmation.
RIG now

Sample was : a345a866f64fb61e482ead7e3b3979542381b579c6065ffd7e93bc23faefdd4c
Fiddler sent to VT

To those wondering why i do not give direct link to exploit patched less than one month ago, look at these stats shared by a user on underground :
Image may be NSFW.
Clik here to view.
RIG stats (mostly BR) shared by a user underground
Magnitude:
2015-04-02

Image may be NSFW.
Clik here to view.
Magnitude successfully exploiting CVE-2015-0359 to push Cryptowall and Zemot
2015-05-02
Sample in that pass : 85e0f358c80e9013be2358e4ee11d90885d74f5b32d4cef710b76e0245631b26
Fiddler sent to VT

Fiesta:
2015-05-03
Image may be NSFW.
Clik here to view.
Logo Courtesy of Fox-IT
Fiesta firing CVE-2015-0359 (more like the real one accorting to @TimoHirvonen)
2015-05-03
Sample in that pass : a78f2cd9233523141fc29960831947ad9f993e08680f2db10facf2ed93a7e94e
Fiddler sent to VT
Read more :
Latest Flash Exploit in Angler EK Might Not Really Be CVE-2015-0359 - 2015-04-22 - Peter Pi - TrendMicro
Angler EK Exploiting Adobe Flash CVE-2015-0359 with CFG Bypass - 2015-04-18 - Dan Caselden and Sai Omkar Vashisht - FireEye

Viewing all articles
Browse latest Browse all 185

Trending Articles