2016-03-26 - Exploit Integration

CVE-2016-1001 (Flash up to 20.0.0.306) and Exploit Kits





Two weeks after Flash patch,  two months after last Flash exploit integration in Angler, on the 2016-03-25 Angler EK, in some threads, is starting to send an exploit to Flash Player 20.0.0.270 and 20.0.0.306

I tried multiple configuration but I was not able to get exploited. The following day I got successful infections with Flash 20.0.0.270 and 20.0.0.306.

Angler EK :
2016-03-25

The CVE here has been identificated as CVE-2016-1001 by Eset and Kaspersky (Thanks)
2016-03-26 - Angler EK successfully exploiting Flash 20.0.0.306 in Internet Explorer 11 on Windows 7

Fiddler sent to VT here.
Hash of the associated SWF fwiw : b609ece7b9f4977bed792421b33b15da
Observed as well : ab24d05f731caa4c87055af050f26917 - c4c59f454e53f1e45858e95e25f64d07

NB : this is just "one" pass.  Angler EK can be used to spread whatever its customers want to spread .
Selected examples I saw in the last 4 days : 
Teslacrypt (ID 20, 40,52, 74 ,47) , 
Locky (affid 14 - 7f2b678398a93cac285312354ce7d2b7  and affid 11 - f417b107339b79a49e4e63e116e84a32), 
GootKit b9bec4a5811c6aff6001efa357f1f99c, 
Vawtrak  0dc4d5370bc4b0c8333b9512d686946c
Ramnit 99f21ba5b02b3085c683ea831d79dc79
Gozi ISFB (DGA nasa) 11d515c2a2135ca00398b88eebbf9299
BandarChor, (several instances, ex f97395004053aa28cadc6d4dc7fc0464 - 3c9b5868b4121a2d48b980a81dda8569 )
Graybird/LatentBot f985b38f5e8bd1dfb3767cfea89ca776
Dridex - b0f34f62f49b9c40e2558c1fa17523b5 (this one was 10 days ago..but worth a mention)
Andromeda (several instances)
and obviously many Bedep threads and their stream of PE (evotob, reactorbot (several instances), Tofsee, Teslacrypt,Kovter, Miuref)

Edit 1: 2016-03-29 -  I was mentioning 2016-1010 as a candidate but it's not. Modified with the correct CVE ID provided by Eset and Kaspersky..