Angler EK is definitely on the move. It's not a huge surprise when we can speculate that the team behind is the same that was first using Cool EK (Paunch VIP customer) and is behind the Reveton threat.
After integrating CVE-2013-0634 past week
Angler EK's first move on 2013-11-05. Spotted by @node5 and @EKWatcher : CVE-2013-0634. Confirmed by @timohirvonenpic.twitter.com/HOvpqhW0qm
— kafeine (@kafeine) November 7, 2013
EKWatcher has spotted a new change today : the silverlight check has now been activated and deliver an exploit.
Looks like "Angler EK" is including a Silverlight Exploit - in preference to ones for vulnerable Flash and JavaPedro Marinho from Emerging Threats pointed links with Packet Storm Exploit 2013-1022-1 - Microsoft Silverlight Invalid Typecast / Memory Disclosure
— Chris Wakelin (@EKwatcher) November 13, 2013
(right now I don't understand why CVE-2013-3896 is mentionned here. Will update if I learn about it)
CVE-2013-0074 pass in Angler EK :
| Image may be NSFW. Clik here to view.  |
| CVE-2013-0074 successful pass in Angler EK 2013-11-13 |
| Image may be NSFW. Clik here to view.  |
| Silverlight 5.1.10411.0 Addon In IE used in that pass |
Note: I made a pass with Silverlight 5.1.20513.0 - as fire condition told us : safe.
GET http://peragretisque.yevgenimalkin .com/leoccvkead
200 OK (text/html)
| Image may be NSFW. Clik here to view.  |
| Sliverlight version checks Angler EK 2013-11-13 |
| Image may be NSFW. Clik here to view.  |
| Deciding if Silverlight must be fired : "sterlings" in Angler - 2013-11-13 |
| Image may be NSFW. Clik here to view.  |
| Call for Silverlight Exploit in Angler 2013-11-13 |
200 OK (text/html)
| Image may be NSFW. Clik here to view.  |
| Silverlight Call |
| Image may be NSFW. Clik here to view.  |
| Content of that zip |
| Image may be NSFW. Clik here to view.  |
| Dll TimeStamp |
The DLL ( 5f36a4c019d559f1be9fdd0cd770be2e ) would be worth some works but as often, I do not have the knowledge right now to provide useful data. Will link analysis that may come.
GET http://peragretisque.yevgenimalkin .com/1leoccvkeadmnp
200 OK (application/octet-stream) Xored Reveton Ransomware.
| Image may be NSFW. Clik here to view.  |
| One of the US Reveton Design 2013-11-13 |
| Image may be NSFW. Clik here to view.  |
| Silverlight 5.1.10411.0 Addon In Firefox 17 |
| Image may be NSFW. Clik here to view.  |
| Firefox Warning on Silverlight call from Angler EK 2013-11-13 |
| Image may be NSFW. Clik here to view.  |
| Silverlight 5.1.10411.0 - Firefox 17 Angler EK 2013-11-13 |
Here is a Pcap
(Courtesy of Will Metcalf from Emerging Threats).
Here is a Fiddler
Read More :
Packet Storm Exploit 2013-1022-1 - Microsoft Silverlight Invalid Typecast / Memory Disclosure Authored by Vitaliy Toropov
CVE-2013-0074 NIST
Lua Script by Emerging Threats to detect the exploitation in Suricata (can also be run from Command line)