2015-10-29 - Exploit Integration

CVE-2015-7645 (Flash up to 19.0.0.207) and Exploit Kits

The CVE-2015-7645 has been fixed with Adobe Flash Player 19.0.0.226. Spotted in the wild (2015-10-13) in APT28's exploit kit by TrendMicro, this exploit was already reported 2 weeks before (2015-09-29) to Adobe by Natalie Silvanovich.

I reported the Flash 0-day (CVE-2015-7645) two weeks before it was found in the wild https://t.co/nYeAWRG5jO
— Natalie Silvanovich (@natashenka) 16 Octobre 2015

It has now made its way to Exploit Kit

Angler EK :
2015-10-29
CVE id confirmed by by Anton Ivanov ( Kaspersky )

Angler EK successfully exploiting Flash 19.0.0.207
2015-10-29

Flash sample in that pass : 4af57fb1c71bb9c1599371d48240ff36
Another sample : bea824974f958ac4efc58484a88a9c18
One more from the Poweliks instance : 0d72221d41eff55dcfd0da50cd1c545e

Not replayable fiddler sent to VT

Out of topic sample loaded by bedep :
5a60925ea3cc52c264b837e6f2ee915e Necurs
a9d5a9a997954f5421c94ac89d2656cd Vawtrak ( < that one was not expected in that infection path)

2016-03-12

Edge is now being served a landing and the flash being sent is targeting this CVE according to Kaspersky and Eset

Angler EK exploiting Flash 18.0.0.209 on Windows 10 (build 10240) through Edge

Fiddler : AnglerEK_Edge_18.0.0.209_2016-03-11.zip

Nuclear Pack:
2015-10-30
Nuclear Pack which has been playing with landing URI pattern lately has integrated it

CVE-2015-7645 in Nuclear Pack on 2015-10-30

Sample in that pass : f5dd2623ae871d58483bf14ec5d635e4

Out of topic payload : 0b3de2a8d838883e10a1d824d20fe95c Kelihos Loader (harsh02)

Fiddler sent to VT

Magnitude:
2015-11-10

Magnitude trying to exploit CVE-2015-7645
2015-11-10

Spotted sample : 21993dd3b943d935a9296aeff831cbb9 CVE id confirmed by Timo Hirvonen
No payload but the actor behind that thread would like to see you Cryptowalled. Update might come.

Spartan :
2015-11-12
Without surprise as Spartan is the work of the coder of Nuclear Pack.
Note : old version of Chrome <= 43.0.257 and Firefox < 38 seems to be falling as well

Spartan pushing Pony and Alphacrypt via CVE-2015-7645

2015-11-12

Sample in that pass : 1c074c862d3e25ec9674e6bd62965ad8 (another one: 66f34cd7ef06a78df552d18c729ae53c )
(out of topic payload : Pony: 29c940f9d0805771e9c7ec8a5939fa25 (45.63.71.12 /myadvert/autoget.php) and Cryptowall 74ebff4acc4ad9c2a2e665ff293c02e6 NB earlier today drops were Pony and Alphacrypt )
Fiddler sent to VT

Neutrino:
Most probably appeared 2015-10-16

Necurs being dropped by Neutrino via CVE-2015-7645
2015-11-17

Sample in that pass: 7dd9813ef635e98dd9585deaefecfcff

(Out of topic payload : Necurs a83a96e87e80adef1e4598a645f2918c )

Fiddler sent to VT (You might want to read the detailed analysis by Trustave)

Read More :
Adobe Flash: Type Confusion in IExternalizable.writeExternal When Performing Local Serialization - 2015-09-29 - Natalie Silvanovich
New Adobe Flash Zero-Day Used in Pawn Storm Campaign Targeting Foreign Affairs Ministries - 2015-10-13 - Feike Hacquebord - Brooks Li - Peter Pi - TrendMicro
Latest Flash Exploit Used in Pawn Storm Circumvents Mitigation Techniques - 2015-10-16 - Peter Pi - TrendMicro

Post Publication Reading :
Neutrino Exploit Kit – One Flash File to Rule Them All - 2015-12-28 - Daniel Chechik and Anat Davidi - Spiderlabs/Trustwave