2015-08-11 - Exploit Integration
CVE-2015-2419 (Internet Explorer) and Exploits Kits
As published by FireEye Angler EK is now exploiting CVE-2015-2419 fixed with MS15-065
Angler EK :
2015-08-10
It seems they might have started to work on that exploit as early as 2015-07-24 where some instances briefly used code to gather ScriptEngineVersion from redirected visitors :
 |
| Angler EK gathering ScriptEngineVersion data the fast way. 2015-07-24 |
 |
| CVE-2015-2419 successfully exploiting IE11 in windows 7 2015-08-10 (Here bedep grabbing Pony and TeslaCrypt then doing some AdFraud) |
I spent (too much ;) ) time trying to decode that b value in the POST reply.
Here are some materials :
- The landing after first pass of decoding and with some comments : http://pastebin.com/JQuyAXar
 |
| The post call is handled by String['prototype']['jjd'] , ggg is sent to Post data as well as the ScriptEngineVersion (in the shared pass : 17728 ) |
- The l() function handling the post : http://pastebin.com/hxZJwbaY
- The post data and reply after first pass of decoding : http://pastebin.com/raw.php?i=NWkU7CXr
Files : 2 Fiddlers (ScriptEngineVersion Gathering and successfull pass - use malware as password)
Thanks :
Horgh_RCE for his help
Magnitude :
2015-08-22
( I am waiting for some strong confirmation on CVE-2015-2426 used as PrivEsc only here )
 |
| Magnitude successfully exploiting CVE-2015-2419 to push an elevated (CVE-2015-2426) Cryptowall on IE11 in Win7 2015-08-22 |
Note : The CVE-2015-2426 seems to be used for privilege escalation only
 |
| Cryptowall dropped by Magnitude executed as NT Authority\system after CVE-2015-2426 2015-08-23 |
and has been associated to flash Exploit as well.
 |
| Pass showing the privilege escalation has been associated to flash Exploit as well. 2015-08-23 |
Files : CVE-2015-2419 pass (password: malware)
CVE-2015-5122 pass featuring CVE-2015-2426 (password : malware)
Thanks :
Horgh_RCE , EKWatcher and Will Metcalf for their help
Nuclear Pack:
2015-08-23
 |
| Nuclear Pack exploiting IE11 in Win7 with CVE-2015-2419 to push TeslaCrypt 2015-08-23 |
Neutrino :
CVE Identification by Timo Hirvonen
 |
| Neutrino successfully exploiting CVE-2015-2419 on IE11 in Windows 7 2015-08-27 |
Files: Fiddler (Password is malware)
RIG:
2015-08-27
 |
| RIG successfully exploiting CVE-2015-2419 2015-08-27 |
Files : Fiddler (password is malware)
Hunter :
2015-08-27
 |
| @hunter_exploit 2015-08-26 |
As spotted by Proofpoint Hunter EK has integrated CVE-2015-2419
 |
| Hunter Exploit Kit successfully exploiting CVE-2015-2419 2015-08-27 |
Kaixin :
2016-01-08
Files: Fiddler here (password is malware)
( out of topic Payload : bb1fff88c3b86baa29176642dc5f278d firing PCRat/Gh0st ET rule 2016922 )
Sundown :
2016-07-06 - Thanks Anton Ivanov (Kaspersky) for confirmation
 |
| Sundown successfully Exploiting CVE-2015-2419 - 2016-07-06 cmd into wscript into Neutrino-ish named / RC4ed Payload let think this is a Rip from Neutrino implementation |
Files : Sundown_CVE-2015-2419_2016-07-06 (password is malware)
Read More :
Hunter Exploit Kit Targets Brazilian Banking Customers - 2015-08-27 - Proofpoint
CVE-2015-2419 – Internet Explorer Double-Free in Angler EK - 2015-08-10 - Sudeep Singh, Dan Caselden - FireEye
2015-08-10 - ANGLER EK FROM 144.76.161.249 SENDS BEDEP This pass shared by Brad from Malware-Traffic-Analysis is including the CVE-2015-2419
Generic bypass of next-gen intrusion / threat / breach detection systems - 2015-06-05 - Zoltan Balazs - Effitas
Post publication Reading :
Attacking Diffie-Hellman protocol implementation in the Angler Exploit Kit - 2015-09-08 Kaspersky