2016-02-22 - Exploit Integration

CVE-2016-0034 (Silverlight up to 5.1.41105.0) and Exploit Kits




Fixed with the January 2016 Microsoft patches, CVE-2016-0034  ( MS16-006 ) is a Silverlight Memory Corruption vulnerability and it has been spotted by Kaspersky with rules to hunt Vitaliy Toropov’s unknown Silverlight exploit mentioned in HackingTeam leak.

Angler EK :

On the 2016-02-18 the landing of Angler changed slightly to integrate this piece of code :

Silverlight integration Snipet from Angler Landing after decoding
2016-02-18

resulting in a new call if silverlight is installed on the computer:

Angler EK replying without body to silverlight call
Here a Pass in great britain dropping Vawtrak via Bedep buildid 7786
2016-02-18
I tried all instances i could find and the same behavior occured on all.

2016-02-22 Here we go : call are not empty anymore.
Angler EK dropping  Teslacrypt via silverlight  5.1.41105.0 after the "EITest" redirect 
2016-02-22
I made a pass with Silverlight : 5.1.41212.0 : safe.

Edit1 : I received confirmation that it's indeed CVE-2016-0034 from multiple analyst including Anton Ivanov (Kaspersky). Thanks !


Xap file : 01ce22f87227f869b7978dc5fe625e16
Dll : 22a9f342eb367ea9b00508adb738d858
Out of topic payload : 6a01421a9bd82f02051ce6a4ea4e2edc (Teslacrypt)
Fiddler sent here

RIG : 
2016-03-29
Malc0de spotted modification in the Rig landing indicating integration of Silverlight Exploit.
Here is a pass where the Silverlight is being fired and successfully exploited. CVE identification by : Anton Ivanov (Kaspersky)
RIG - CVE-2016-0034 - 2016-03-29

Xap file in that pass :  acb74c05a1b0f97cc1a45661ea72a67a080b77f8eb9849ca440037a077461f6b
containing this dll : e535cf04335e92587f640432d4ec3838b4605cd7e3864cfba2db94baae060415
( Out of topic payload : Qbot 3242561cc9bb3e131e0738078e2e44886df307035f3be0bd3defbbc631e34c80 )
Files : Fiddler and sample (password is malware)

Reading :
The Mysterious Case of CVE-2016-0034: the hunt for a Microsoft Silverlight 0-day - 2016-01-13 - Costin Raiu & Anton Ivanov - Kaspersky

Post Publication Reading:
(PDF) Analysis of Angler's new silverlight Exploit - 2016-03-10 - Bitdefender Labs