2016-02-22 - Exploit Integration
CVE-2016-0034 (Silverlight up to 5.1.41105.0) and Exploit Kits
Fixed with the January 2016 Microsoft patches, CVE-2016-0034 ( MS16-006 ) is a Silverlight Memory Corruption vulnerability and it has been spotted by Kaspersky with rules to hunt Vitaliy Toropov’s unknown Silverlight exploit mentioned in HackingTeam leak.
Angler EK :
On the 2016-02-18 the landing of Angler changed slightly to integrate this piece of code :
 |
| Silverlight integration Snipet from Angler Landing after decoding 2016-02-18 |
 |
| Angler EK replying without body to silverlight call Here a Pass in great britain dropping Vawtrak via Bedep buildid 7786 2016-02-18 |
2016-02-22 Here we go : call are not empty anymore.
 |
| Angler EK dropping Teslacrypt via silverlight 5.1.41105.0 after the "EITest" redirect 2016-02-22 |
Edit1 : I received confirmation that it's indeed CVE-2016-0034 from multiple analyst including Anton Ivanov (Kaspersky). Thanks !
Xap file : 01ce22f87227f869b7978dc5fe625e16
Dll : 22a9f342eb367ea9b00508adb738d858
Out of topic payload : 6a01421a9bd82f02051ce6a4ea4e2edc (Teslacrypt)
Fiddler sent here
RIG :
2016-03-29
Malc0de spotted modification in the Rig landing indicating integration of Silverlight Exploit.
Here is a pass where the Silverlight is being fired and successfully exploited. CVE identification by : Anton Ivanov (Kaspersky)
 |
| RIG - CVE-2016-0034 - 2016-03-29 |
containing this dll : e535cf04335e92587f640432d4ec3838b4605cd7e3864cfba2db94baae060415
( Out of topic payload : Qbot 3242561cc9bb3e131e0738078e2e44886df307035f3be0bd3defbbc631e34c80 )
Files : Fiddler and sample (password is malware)
Reading :
The Mysterious Case of CVE-2016-0034: the hunt for a Microsoft Silverlight 0-day - 2016-01-13 - Costin Raiu & Anton Ivanov - Kaspersky
Post Publication Reading:
(PDF) Analysis of Angler's new silverlight Exploit - 2016-03-10 - Bitdefender Labs