Clik here to view.
CVE-2014-9162 (Flash 15.0.0.242 and below) integrating Exploit Kits
CVE-2014-9162 has been patched on 2014-12-09. It's Affecting Flash Player 15.0.0.242 and below.Angler EK :2015-01-15 <- It seems.Angler EK was really rare those days (since december). I saw many...
View ArticleClik here to view.
Unpatched Vulnerability (0day) in Flash Player is being exploited by Angler EK
This is a fast post. I will update it heavily in the coming hours/days. Sorry for the resulting mess.I spotted an instance of Angler EK which is sending three different bullets targeting Flash Player...
View ArticleClik here to view.
CVE-2015-0311 (Flash up to 16.0.0.287) integrating Exploit Kits
Patched with Flash 16.0.0.296 the CVE-2015-0311 has been first seen exploited by Angler EK ( 2015-01-20 ) , soon after used in "standalone" mode in huge malvert campaign (pushing either Reveton, either...
View ArticleClik here to view.
Reveton's design refreshed - Winter 2015
"Snipshot" of the Reveton DK design :)Those days Reveton is mainly pushed on adult traffic via "standalone"CVE-2015-0311 flash (posing as advert) calling an Xtea encoded stream.After not far from 2...
View ArticleClik here to view.
SkyShare : Evolution Mining Botnet System
At begining of the year, an advert for a mining botnet appeared on underground :Piece of the Advert on the UndergroundOriginal text of the Advert :------------------------------------------Предлагаю...
View ArticleClik here to view.
CVE-2015-0313 (Flash up to 16.0.0.296) and Exploit Kits
Reported by TrendMicro (2015-02-02), fixed with Adobe Flash Player 16.0.0.305, the code to exploit CVE-2015-0313 has been introduced in Hanjuan Exploit Kit at beginning of december 2014 according to...
View ArticleClik here to view.
New crypto ransomware in town : CryptoFortress
Blitz post.[This post has been heavily edited to fix my mistake.@kafeine after further verification, it seems CryptoFortress is completely different from TorrentLocker. They only stole the HTML and...
View ArticleClik here to view.
CVE-2015-0336 (Flash up to 16.0.0.305) and Exploit Kits
As reported by Malwarebytes and FireEye, Nuclear Pack is now taking advantage of a vulnerability patched with the last version of Flash Player ( 17.0.0.134 )Nuclear Pack : Thanks @TimoHirvonen for CVE...
View ArticleClik here to view.
CVE-2015-0359 (Flash up to 17.0.0.134) and Exploit Kits
As spotted by FireEye on 2015-04-17, Angler EK is now taking advantage of a vulnerability patched with the last version of Flash Player ( 17.0.0.169 )Angler EK :2015-04-17Angler EK successfully...
View ArticleClik here to view.
Another look at Niteris : post exploitation WMI and Fiddler checks
In this post we'll see some of the improvements that have been brought to Niteris.Disclaimer : Few configuration were tested, so most probably some added/replaced CVEs are missing.The infection chain...
View ArticleClik here to view.
An Exploit Kit dedicated to CSRF Pharming
In april, studying a redirector that was previously associated with some (RIP) Sweet Orange activity, I landed on a TDS that was strangely denying usual driveby criteria (US,EU, JP,... Internet...
View ArticleClik here to view.
On the other side of CTB-Locker : the Affiliate server.
If you do not know what is CTB-Locker (aka Critroni) take a look at : "Crypto Ransomware" CTB-Locker (Critroni.A) on the rise (where you'll find the Advert as well)Hosted on tor :...
View ArticleClik here to view.
CVE-2015-3090 (Flash up to 17.0.0.169) and Exploit Kits
As spotted by FireEye Angler EK is now exploiting CVE-2015-3090 patched with Flash 17.0.0.188Angler EK :2015-05-26Only in few instances for now.Angler EK successfully exploiting Flash 17.0.0.169 on...
View ArticleClik here to view.
Fast look at Sundown EK
Sun Down - Top GunDisclaimer : There is nothing worth a post there...except mentionning this EK is around.I would put that "kit" in the same sad basket than Archie (same level, same kind of traffic...
View ArticleClik here to view.
CVE-2015-3105 (Flash up to 17.0.0.188) and Exploit Kits
Spotted by TrendMicro, Magnitude is now exploiting CVE-2015-3105 patched with Flash 18.0.0.160Magnitude :2015-06-16Magnitude Successfully exploit Flash 17.0.0.188 in IE11 on Windows 7and pushes 2...
View ArticleClik here to view.
CVE-2015-3113 (Flash up to 18.0.0.160) and Exploit Kits
Patched four days ago (2015-06-23) with Flash 18.0.0.194, the CVE-2015-3113 has been spotted as a 0day by FireEye, exploited in limited targeted attacks. It's now making its path to Exploit...
View ArticleClik here to view.
Kovter AdFraud is updating Flash Player
Checking my systems I noticed multiple VM trying to grab last version of Flash and thought they were not properly setup allowing Flash Player to auto-update (which we do not want obviously - we want to...
View ArticleClik here to view.
A fileless Ursnif doing some POS focused reco
Mission Impossible via Brixe63At begining of June, I noticed a "different" Angler pass.No drop and Ursnif call backs.FileLess Angler Pass and Ursnif CallbackMon, 01 Jun 2015 14:48:06 GMTI already...
View ArticleClik here to view.
CVE-2015-5119 (HackingTeam 0d - Flash up to 18.0.0.194) and Exploit Kits
As we are all aware, a 0d (for which a patch is expected tomorrow) was part of the files leaked from the HackingTeam compromission.Flash 0day from #HackingTeam with a nice readme. Works very well on...
View ArticleClik here to view.
CVE-2015-5122 (HackingTeam 0d two - Flash up to 18.0.0.203) and Exploit Kits
Another 0d ( Patch expected in the coming week) was part of the files leaked from the HackingTeam compromission.#HackingTeam So you said everything was patched ? @Adobepic.twitter.com/ER56kb2oqI—...
View Article