CVE-2016-0034 (Silverlight up to 5.1.41105.0) and Exploit Kits

Fixed with the January 2016 Microsoft patches, CVE-2016-0034  ( MS16-006 ) is a Silverlight Memory Corruption vulnerability and it has been spotted by Kaspersky with rules to hunt Vitaliy Toropov’s unknown Silverlight exploit mentioned in HackingTeam leak.

Angler EK :

On the 2016-02-18 the landing of Angler changed slightly to integrate this piece of code :

Silverlight integration Snipet from Angler Landing after decoding 2016-02-18

resulting in a new call if silverlight is installed on the computer:

Angler EK replying without body to silverlight call Here a Pass in great britain dropping Vawtrak via Bedep buildid 7786 2016-02-18

I tried all instances i could find and the same behavior occured on all.

2016-02-22 Here we go : call are not empty anymore.

Angler EK dropping  Teslacrypt via silverlight  5.1.41105.0 after the "EITest" redirect  2016-02-22

I made a pass with Silverlight : 5.1.41212.0 : safe.

Edit1 : I received confirmation that it's indeed CVE-2016-0034 from multiple analyst including Anton Ivanov (Kaspersky). Thanks !


Xap file : 01ce22f87227f869b7978dc5fe625e16
Dll : 22a9f342eb367ea9b00508adb738d858
Out of topic payload : 6a01421a9bd82f02051ce6a4ea4e2edc (Teslacrypt)
Fiddler sent here

Reading :
The Mysterious Case of CVE-2016-0034: the hunt for a Microsoft Silverlight 0-day - 2016-01-13 - Costin Raiu& Anton Ivanov - Kaspersky