CVE-2015-5119 (HackingTeam 0d - Flash up to 18.0.0.194) and Exploit Kits

As we are all aware, a 0d (for which a patch is expected tomorrow) was part of the files leaked from the HackingTeam compromission.

Flash 0day from #HackingTeam with a nice readme. Works very well on Chrome etc. http://t.co/nfqck54YhTpic.twitter.com/8uAQuUIXGV

— webDEViL (@w3bd3vil) July 6, 2015

As we were all expecting, integration in exploit kits was a matter of hours and it looks like Angler EK team is at it.

Angler EK :
2015-07-07
[Got confirmation from Kaspersky that this is indeed HT 0d]
[Sad Edit 2015-07-09] NB : If you see no credits here, it's because despite what you might read here or there...there was absolutely no mention anywhere of this CVE in Angler at the time of the Tweet/Publishing. Dark souls are dark [/Sad Edit]

Angler EK successfully exploiting IE11, win7 x64 Flash 18.0.0.194 2015-07-07

Sample in that pass : 061c086a4da72ecaf5475c862f178f9d
(Out of topic payload : Rioselx.A 8adbb946d84f34013719a7d13fa4b437 which interestingly grab Qadars ( 5efd70a7b9aecf388ae4d631db765d77) as 2nd Stage)

[Edit 2015-07-08
Angler EK is trying to avoid IDS changing URI pattern.

Angler EK changes landing pattern drastically

Here are some :
viewtopic.php?z5wd=162&xk1t=07646&b=12
viewtopic.php?8je=13464&0=0&ef=508&y=8
viewtopic.php?9m3vs=19507&e6=627&jsqaa=72
viewtopic.php?SHY=926&l6j=26165&cJU1=6&G=1
viewtopic.php?q=149&c=989&CVE3=43&JV=96
Files: Fiddler  (password is malware)

Neutrino :
2015-07-07
As spotted by Malwarebytes

Neutrino successfully exploiting IE11, Win7x64, Flash 18.0.0.194 2015-07-07

Sample in that pass : 6d14ba5c9719624825fd34fe5c7b4297
(out of topic payload : bunitu bfc1801adf55818b7b08c5cc064abd0c )
Files:Fiddler (password is malware)

Nuclear Pack :
2015-07-07

Nuclear Pack successfully exploiting IE11, Win7x64, Flash 18.0.0.194 2015-07-07

Sample in that pass :  16ac6fc55ab027f64d50da928fea49ec
(Out of topic payload : Troldesh.a : 2e67ccdd7d6dd80b248dc586cb2c4843 )
Files:Fiddler (password is malware)

[Edit 2015-07-08]
Patch is Available

Flash 18.0.0.203 fixing CVE-2015-5119 is out.

Right now you're safe on all previously mentioned EK with it.
[/edit 2015-07-08]

Magnitude :
2015-06-08

Flash 18.0.0.194 exploited via CVE-2015-5119 in Magnitude 2015-08-08 (after Patch)

Sample in that pass : 313cf1faaded7bbb406ea732c34217f4
( Out of topic dropped: 5b85fae87c02c00c0c78f70a87e9e920 most probably Cryptowall)

Read More :
Leaked Flash zero-day likely to be exploited by attackers - 2015-07-07 Symantec
(Google Translate) : Hacking Team attack code analysis Part 1: Flash 0day - 2015-07-07  - 360 Security
PSA: Flash Zero-Day Now Active in The Wild - 2015-07-07 - Malwarebytes
Hacking Team Flash Zero-Day Integrated Into Exploit Kits - 2015-07-07 - TrendMicro