2015-07-21 - Exploit Integration

CVE-2015-1671 (silverlight up to 5.1.30514.0) and Exploit Kits



Patched with ms15-044 CVE-2015-1671 is described as TrueType Font Parsing Vulnerability.
Silverlight up to 5.1.30514.0 are affected, but note : most browser will warn that the plugin is outdated

Out of date Plugin protection in Chrome 39.0.2171.71
Out of date ActiveX controls blocking in Internet Explorer 11
(introduced in August 2014)



and also consider that Microsoft announced the end of Silverlight at beginning of the month.

Angler EK :
2015-07-21

Around the 1st of July some new Silverlight focused code appeared in Angler EK landing.
It even seems coders made some debug or something wrong as you could see this kind of popup several hours long on Angler EK.
Deofuscated snipet of Silverlight call exposed to Victims in Angler EK
2015-07-02
I failed trying to get something else than a 0 size silverlight calls.
I heard about filled calls from Eset and EKWatcher.
The exploit sent was 3fff76bfe2084c454be64be7adff2b87  and appears to be a variation of CVE-2015-1671 (Silverlight 5 before 5.1.40416.00).  I spent hours trying to get a full exploit chain....No luck. Only 0size calls.

But, it seems it's back today (or i get more lucky ? ) :

--
Disclaimer : many indicators are whispering it's the same variation of CVE-2015-1671, but I am still waiting for a strong confirmation
--

Silverlight 5.1.30514.0 exploited by Angler EK via CVE-2015-1671 in IE 11 on Windows 7
2015-07-21

Silverlight 5.1_10411.0 exploited by Angler EK via CVE-2015-1671 in Chrome 39 on Windows 7
2015-07-21

Silverlight 5.1.30514.0 exploited by Angler EK via CVE-2015-1671 in Firefox 38 on Windows 7
2015-07-21

Two x86 - x64 dll are encoded in the payload stream with XTea Key : m0boo69biBjSmd3p


Silverlight dll in DotPeek after Do4dot

Sample in those pass : ac05e093930662a2a2f4605f7afc52f2
(Out of topic payload is bedep which then gather an adfraud module - you have the XTea key if you want to extract)

Files: Fiddler (password is malware)
[Edit : 2015-07-26, has been spread to all Angler Threads]

Thanks for help/tips :
Eset, Microsoft, Horgh_RCEDarien Huss, Will Metcalf, EKWatcher.

Magnitude :
2015-07-28  has been spotted by Will Metcalf in Magnitude
It's a rip of Angler's one

Silverlight 5.1.30514.0 exploited by Magnitude
2015-08-29
Files: Fiddler (password is malware)


Read more :
CVE-2013-0074/3896 (Silverlight) integrates Exploit Kits - 2013-11-13