Clik here to view.
CVE-2015-1671 (silverlight up to 5.1.30514.0) and Exploit Kits
Patched with ms15-044 CVE-2015-1671 is described as TrueType Font Parsing Vulnerability.Silverlight up to 5.1.30514.0 are affected, but note : most browser will warn that the plugin is outdatedOut of...
View ArticleClik here to view.
CVE-2014-2419 (Internet Explorer) and Exploits Kits
As published by FireEye Angler EK is now exploiting CVE-2014-2419 fixed with MS15-065Angler EK :2015-08-10It seems they might have started to work on that exploit as early as 2015-07-24 where some...
View ArticleClik here to view.
CVE-2015-5560 (Flash up to 18.0.0.209) and Exploit Kits
Patched with flash version 18.0.0.232, CVE-2015-5560 is now being exploited by Angler EK.Angler EK :2015-08-29[Edit : 2015-09-01] Exploit candidated by Kasperky as CVE-2015-5560 [/edit]The exploit has...
View ArticleClik here to view.
Shifu
I noticed since several days a shift in malware distribution in the UK.Many infection path that I follow are now dropping a banker that i already saw many times, especially at the end of 2014 and...
View ArticleClik here to view.
A DoubleClick https open redirect used in some malvertising chain
In the post on the UK focused Shifu I illustrated malvertising traffic to Angler.The traffer group behind this activity is the same exposed by BelchSpeak from Invincea in many tweets (explaining the...
View ArticleClik here to view.
CVE-2015-7645 (Flash up to 19.0.0.207) and Exploit Kits
The CVE-2015-7645 has been fixed with Adobe Flash Player 19.0.0.226. Spotted in the wild (2015-10-13) in APT28's exploit kit by TrendMicro, this exploit was already reported 2 weeks before (2015-09-29)...
View ArticleClik here to view.
Inside Jahoo (Otlard.A ?) - A spam Botnet
Trash and Mailbox by Bethesda SoftworksOtlard.A (or let's say at least the malware triggering 2806902 || ETPRO TROJAN Win32.Otlard.A C&C Checkin response ) is a Spam BotnetI saw it loaded as a...
View ArticleClik here to view.
Nuclear Pack loads a fileless CVE-2014-4113 Exploit
Yesterday's Nymaim spam campaign was also redirecting to Nuclear Pack.Without big surprise the sample ( 592899e0eb3c06fb9fda59d03e4b5b53 ) dropped by Nuclear is the same as the fake update proposed.But...
View ArticleClik here to view.
CVE-2015-8446 (Flash up to 19.0.0.245) And Exploit Kits
One week after patch Flash 19.0.0.245 is being exploited by Angler EK via CVE-2015-8446Angler EK :2015-12-14CVE identification by Anton Ivanov ( Kaspersky ) and FireEye (Thanks !)Angler EK exploiting...
View ArticleClik here to view.
XXX is Angler EK
Snipshot of MonterAV AffiliateAs I got many questions about an EK named XXX (that is said to be better than Angler ;) ) I decided to share some data here.XXX is Angler EK ( it's the real name of its...
View ArticleClik here to view.
CVE-2015-8651 (Flash up to 20.0.0.228/235) and Exploit Kits
While other exploit kit are struggling to keep up with Angler (none is firing CVE-2015-8446 , maybe because of the Diffie-Hellman protection on Angler's exploits ),- Nuclear / Magnitude and Neutrino...
View ArticleClik here to view.
Cryptowall son of Borracho (Flimrans) ?
Lately I received multiple questions about connection between Reveton and Cryptowall.I decided to have a look.A search in ET Intelligence portal at domains from Yonathan's Cryptowall TrackerET...
View ArticleClik here to view.
CVE-2016-0034 (Silverlight up to 5.1.41105.0) and Exploit Kits
Fixed with the January 2016 Microsoft patches, CVE-2016-0034 ( MS16-006 ) is a Silverlight Memory Corruption vulnerability and it has been spotted by Kaspersky with rules to hunt Vitaliy Toropov’s...
View ArticleClik here to view.
CVE-2016-1010 (??? - Flash up to 20.0.0.306) and Exploit Kits
NB : the CVE id is not confirmed yet.This one is used with the same "power".I'll fix/replace if it appears to be the wrong id.Two weeks after Flash patch, two months after last Flash exploit...
View ArticleClik here to view.
CVE-2016-1019 (Flash up to 21.0.0.182/187) and Exploit Kits
Spotted in a "degraded" version on the 2016-04-02 in Magnitude, live also since 2016-03-31 in Nuclear Pack, Adobe was really fast at fixing this vulnerability with the patch released on the 2016-04-07...
View ArticleClik here to view.
Bedep has raised its game vs Bot Zombies
Simulacra & Simulation - Jean BaudrillardFeatured in MatrixBedep could be described as a fileless loader with a resident module that can optionally perform AdFraud. It's intimate to Angler EK and...
View ArticleClik here to view.
U-Admin (Universal Admin): A Phishing(Web&Android)/Grabber/ATS/Token kit
Fallout Vault Boy maskThe goal of the post is to open-source data on a kit that has been seen live impersonating bank portal. This is mostly Raw data, few part only will be "google translated".On...
View ArticleClik here to view.
CVE-2016-4117 (Flash up to 21.0.0.213) and Exploit Kits
Discovered being exploited in the wild by FireEye [1] on May 8, 2016, patched 4 days later with Flash 21.0.0.242, CVE-2016-4117 is making its way to Exploit Kits.Magnitude :CVE confirmed by FireEye -...
View ArticleClik here to view.
Is it the End of Angler ?
Everyone looking at the DriveBy landscape is seeing the same : as Nuclear disappeared around April 30th, Angler EK has totally vanished on June 7th. We were first thinking about Vacation as in January...
View ArticleClik here to view.
CVE-2016-0189 (Internet Explorer) and Exploit Kit
Spotted by Symantec in the wild patched with MS16-051 in may 2016, CVE-2016-0189 is now being integrated in Exploit Kit.Neutrino Exploit Kit :Here 2016-07-13 but i am being told that i am late to the...
View Article