NB : the CVE id is not confirmed yet.This one is used with the same "power".
I'll fix/replace if it appears to be the wrong id.
Two weeks after Flash patch, two months after last Flash exploit integration in Angler, on the 2016-03-25 Angler EK, in some threads, is starting to send an exploit to Flash Player 20.0.0.270 and 20.0.0.306
I tried multiple configuration but I was not able to get exploited. The following day I got successful infections with Flash 20.0.0.270 and 20.0.0.306. This is a good candidate for CVE-2016-1010. I asked help to get an identification.
Angler EK :
2016-03-25
 |
| 2016-03-26 - Angler EK successfully exploiting Flash 20.0.0.306 in Internet Explorer 11 on Windows 7 |
Hash of the associated SWF fwiw : b609ece7b9f4977bed792421b33b15da
Observed as well : ab24d05f731caa4c87055af050f26917 - c4c59f454e53f1e45858e95e25f64d07
NB : this is just "one" pass. This exploit can be used to spread whatever Angler EK customers want to spread .
Selected examples I saw in the last 4 days :
Teslacrypt (ID 20, 40,52, 74 ,47) ,
Locky (affid 14 - 7f2b678398a93cac285312354ce7d2b7 and affid 11 - f417b107339b79a49e4e63e116e84a32),
GootKit b9bec4a5811c6aff6001efa357f1f99c,
Vawtrak 0dc4d5370bc4b0c8333b9512d686946c
Ramnit 99f21ba5b02b3085c683ea831d79dc79
Ursnif (DGA nasa) 11d515c2a2135ca00398b88eebbf9299
BandarChor, (several instances, ex f97395004053aa28cadc6d4dc7fc0464 - 3c9b5868b4121a2d48b980a81dda8569 )
Graybird/LatentBot f985b38f5e8bd1dfb3767cfea89ca776
Dridex - b0f34f62f49b9c40e2558c1fa17523b5 (this one was 10 days ago..but worth a mention)
Andromeda (several instances)
and obviously many Bedep threads and their stream of PE (evotob, reactorbot (several instances), Tofsee, Teslacrypt,Kovter, Miuref)