Quantcast
Channel: Malware don't need Coffee
Viewing latest article 14
Browse Latest Browse All 185

CVE-2016-1010 (??? - Flash up to 20.0.0.306) and Exploit Kits

$
0
0




NB : the CVE id is not confirmed yet.This one is used with the same "power".
I'll fix/replace if it appears to be the wrong id.


Two weeks after Flash patch,  two months after last Flash exploit integration in Angler, on the 2016-03-25 Angler EK, in some threads, is starting to send an exploit to Flash Player 20.0.0.270 and 20.0.0.306

I tried multiple configuration but I was not able to get exploited. The following day I got successful infections with Flash 20.0.0.270 and 20.0.0.306. This is a good candidate for CVE-2016-1010. I asked help to get an identification.

Angler EK :
2016-03-25
2016-03-26 - Angler EK successfully exploiting Flash 20.0.0.306 in Internet Explorer 11 on Windows 7
Fiddler sent to VT here.
Hash of the associated SWF fwiw : b609ece7b9f4977bed792421b33b15da

NB : this is just "one" pass. This exploit can be used to spread whatever Angler EK customers want to spread .
Selected examples I saw in the last 4 days : 
Teslacrypt (ID 20, 40,52, 74 ,47) , 
Locky (affid 14 - 7f2b678398a93cac285312354ce7d2b7  and affid 11 - f417b107339b79a49e4e63e116e84a32), 
GootKit b9bec4a5811c6aff6001efa357f1f99c, 
Vawtrak  0dc4d5370bc4b0c8333b9512d686946c
Ramnit 99f21ba5b02b3085c683ea831d79dc79
Ursnif (DGA nasa) 11d515c2a2135ca00398b88eebbf9299
BandarChor, (several instances, ex f97395004053aa28cadc6d4dc7fc0464 - 3c9b5868b4121a2d48b980a81dda8569 )
Graybird/LatentBot f985b38f5e8bd1dfb3767cfea89ca776
Dridex - b0f34f62f49b9c40e2558c1fa17523b5 (this one was 10 days ago..but worth a mention)
Andromeda (several instances)
and obviously many Bedep threads and their stream of PE (evotob, reactorbot (several instances), Tofsee, Teslacrypt,Kovter, Miuref)

Viewing latest article 14
Browse Latest Browse All 185

Trending Articles