2016-04-08 - Exploit Integration

CVE-2016-1019 (Flash up to 21.0.0.182/187) and Exploit Kits




Spotted in a "degraded" version on the 2016-04-02 in Magnitude, live also since 2016-03-31 in Nuclear Pack, Adobe was really fast at fixing  this vulnerability with the patch released on the 2016-04-07 bringing Flash Player to version 21.0.0.213

It's not the first time a "0day" exploit is being used in a "degraded" state.
This happened before with Angler and CVE-2015-0310 and CVE-2014-8439

You'll find more details about the finding on that Proofpoint blog here :
"Killing a zero-day in the egg: Adobe CVE-2016-1019"
and on that FireEye blog here:
CVE-2016-1019: A new flash exploit included in Magnitude Exploit Kit
Note : we worked with Eset, Kaspersky and Microsoft as well on this case.

Nuclear Pack :
2016-03-31 "Degraded"
Identification by  Eset, Kaspersky and FireEye (Thanks)
Exploit sent to Flash Player 20.0.0.306 by Nuclear Pack on the 2016-03-31
CVE-2016-1019 inside

Sample in that pass:  301f163644a525155d5e8fe643b07dceac19014620a362d6db4dded65d9cad90
Out of topic example of payload dropped that day by that instance of Nuclear : 42904b23cff35cc3b87045f21f82ba8b (locky)

Note the string "CVE-2016-1001" in the Nuclear Pack, explaining why maybe this exploit is being used in a degraded state.

CVE-2016-1001 string spotted by Denis O'Brien (Malwageddon), the 2016-04-05 in Nuclear Pack exploit

Magnitude :
2016-04-02 "Degraded" to 20.0.0.306
Identified as is by FireEye
[2016-04-07: TrendMicro told me they found some hits for this exploit in Magnitude back from 2016-03-31 as well]

Magnitude exploiting Flash 20.0.0.306 with CVE-2016-1019 the 2016-04-02 in the morning.
Payload is Cerber.


Side note : the check on the redirector in front of Magnitude ( http://pastebin.com/raw/gfEz25fa ) which might have been fixed with the CVE-2015-2413 was in Magnitude landing itself from September to end of November 2015.
res:// onload check features unobfuscated at that time in Magnitude Landing 2015-09-29

Sample in that pass: 0a664526d00493d711ee93662a693eb724ffece3cd68c85df75e1b6757febde5
Out of topic payload: 9d92fb315830ba69162bb7c39c45b219cb8399dd4e2ca00a1e21a5457f92fb3c Cerber Ransomware

Note: I got successful pass with Windows 8.1 and Flash 20.0.0.272 as well and Windows 10 build 1511 (feb 2016) via Flash 20.0.0.306 on Internet Explorer 11. Edge seems not being served a landing.

Neutrino:
2016-04-11 - "degraded" as well it seems. (at least didn't got it to work on Flash 21.x)
CVE id by @binjo and Anton Ivanov (Kaspersky)
Neutrino successfully exploit Flash 20.0.0.306 with CVE-2016-1019
2016-04-11
Fiddler : Sent to vt
Out of topic payload: 83de3f72cc44215539a23d1408c140ae325b05f77f2528dbad375e975c18b82e


Reading :
Killing a zero day in the egg : CVE-2016-1019 - 2016-04-07 - Proofpoint
CVE-2016-1019: A new flash exploit included in Magnitude Exploit Kit - 2016-04-07 -  Genwei Jiang - FireEye
Zero-Day Attack Discovered in Magnitude Exploit Kit Targeting CVE-2016-1019 in Older Versions of Adobe Flash Player - 2016-04-07 - Peter Pi, Brooks Li and Joseph C. Chen - TrendMicro