2015-07-08 - Exploit Integration
CVE-2015-5119 (HackingTeam 0d - Flash up to 18.0.0.194) and Exploit Kits
As we are all aware, a 0d (for which a patch is expected tomorrow) was part of the files leaked from the HackingTeam compromission.
Flash 0day from #HackingTeam with a nice readme. Works very well on Chrome etc. http://t.co/nfqck54YhT pic.twitter.com/8uAQuUIXGV— webDEViL (@w3bd3vil) July 6, 2015As we were all expecting, integration in exploit kits was a matter of hours and it looks like Angler EK team is at it.
Angler EK :
2015-07-07
[Got confirmation from Anton Ivanov ( Kaspersky ) that this is indeed HT 0d]
[Sad Edit 2015-07-09] NB : If you see no credits here, it's because despite what you might read here or there...there was absolutely no mention anywhere of this CVE in Angler at the time of the Tweet/Publishing. Dark souls are dark [/Sad Edit]
 |
Angler EK successfully exploiting IE11, win7 x64 Flash 18.0.0.194 2015-07-07 |
Sample in that pass : 061c086a4da72ecaf5475c862f178f9d
(Out of topic payload : Rioselx.A 8adbb946d84f34013719a7d13fa4b437 which interestingly grab Qadars ( 5efd70a7b9aecf388ae4d631db765d77) as 2nd Stage)
[Edit 2015-07-08
Angler EK is trying to avoid IDS changing URI pattern.
 |
| Angler EK changes landing pattern drastically |
viewtopic.php?z5wd=162&xk1t=07646&b=12
viewtopic.php?8je=13464&0=0&ef=508&y=8
viewtopic.php?9m3vs=19507&e6=627&jsqaa=72
viewtopic.php?SHY=926&l6j=26165&cJU1=6&G=1
viewtopic.php?q=149&c=989&CVE3=43&JV=96
]
Neutrino :
2015-07-07
As spotted by Malwarebytes
 |
| Neutrino successfully exploiting IE11, Win7x64, Flash 18.0.0.194 2015-07-07 |
Sample in that pass : 6d14ba5c9719624825fd34fe5c7b4297
(out of topic payload : bunitu bfc1801adf55818b7b08c5cc064abd0c )
Files: Fiddler (password is malware)
Nuclear Pack :
2015-07-07
 |
Nuclear Pack successfully exploiting IE11, Win7x64, Flash 18.0.0.194 2015-07-07 |
(Out of topic payload : Troldesh.a : 2e67ccdd7d6dd80b248dc586cb2c4843 )
Files: Fiddler (password is malware)
[Edit 2015-07-08]
Patch is Available
 |
| Flash 18.0.0.203 fixing CVE-2015-5119 is out. |
[/edit 2015-07-08]
Magnitude :
2015-07-08
 |
| Flash 18.0.0.194 exploited via CVE-2015-5119 in Magnitude 2015-08-08 (after Patch) |
( Out of topic dropped: 5b85fae87c02c00c0c78f70a87e9e920 most probably Cryptowall)
Files: Fiddler (password is malware)
RIG:
2015-07-09
 |
Flash 18.0.0.194 exploited via CVE-2015-5119 by RIG 2015-08-09 (after Patch) |
(Out of topic payload: 195ce14e97761accda3d32dba0219f02 Cryptowall but you could have guess by the pattern of what i think are stolen from customer loads)
Files : Fiddler (password is malware)
Hanjuan :
Most probably before patch.
The following instance is operated by the same group who introduced CVE-2015-0313 in December.
They are doing some micro geo-targeting in the US it seems making them not that easy to catch.
 |
Flash 18.0.0.194 exploited via CVE-2015-5119 by Hanjuan 2015-08-09 (after Patch - but introduction of the exploit is older for sure) |
(Out of topic payload : it's bedep in Fileless grabbing same AdFraud than in January)
Files : Fiddler (password is malware)NullHole :
(see this post for more info about NullHole)
 |
| Flash 18.0.0.194 exploited via CVE-2015-5119 by NullHole |
(out of topic payload : 9421b8b31ace48daafc31fd56af19cc9 )
Files : Fiddler (Password is malware)
Read More :
Leaked Flash zero-day likely to be exploited by attackers - 2015-07-07 Symantec
(Google Translate) : Hacking Team attack code analysis Part 1: Flash 0day - 2015-07-07 - 360 Security
PSA: Flash Zero-Day Now Active in The Wild - 2015-07-07 - Malwarebytes
Post Publication Readings :
CVE-2015-5119 Flash ByteArray UaF: A beginner’s walkthrough - 2015-09-24 - PortCullis Labs
Sednit APT Group Meets Hacking Team - 2015-07-10 - Eset
Hacking Team Flash Zero-Day Integrated Into Exploit Kits - 2015-07-07 - TrendMicro
APT Group UPS Targets US Government with Hacking Team Flash Exploit - 2015-07-10 Palo Alto