2017-01-06 - Exploit Integration

CVE-2016-7200 & CVE-2016-7201 (Edge) and Exploit Kits




CVE-2016-7200 & CVE-2016-7201 are vulnerabilities in the Chakra JavaScript scripting engine in Microsoft Edge. Reported by Natalie Silvanovich of Google Project Zero, those have been fixed  in november 2016 (MS16-129) by Microsoft.

Note : No successful exploitation seen despite integration tries.

On 2017-01-04 @theori_io released a POC

providing again (cf CVE-2016-0189) ready-to-use code to Exploit Kit maintainer.

After not far from 6 months without new exploit integrated in an EK ecosystem which has lost its innovation locomotive (Angler) , the drive-by landscape is struggling to stay in shape. Low infection rate means more difficulties to properly convert bought traffic.

The exploits are spotted first in Sundown, but integration in RIG/Empire/Neutrino/Magnitude/Kaixin should be a matter of hours/days.

[edit : 2017-01-10]
​I have been told that with Win10 1607, Microsoft Edge has some quite strong mitigation: no WinExec, no CreateProcess, no ShellExecute, meaning every child process creation is blocked. The PoC might need a little more "magic powder" to work there.
[/edit]

Sundown:
2017-01-06

Sundown EK firing CVE-2016-7200/7201 to Edge 2017-01-06
No exploitation here though
Fiddler: Sundown_Edge__CVE-2016-7201_170106.zip (password is malware)

Out of topic: expected payload in that infection chain was zloader. (other payload seen in past weeks dropped via Sundown : Zeus Panda, Neutrino Bot, Dreambot, Chthonic, Andromeda, Smokebot, Betabot, Remcos, IAP, RTM, Kronos, Bitcoin Miner)

Neutrino:
2017-01-14
--
Thanks to Trendmicro for the multiple inputs that allowed me to keep plugged to this infection chain.
--
So as explained previously Neutrino is now in full private mode and fueled via Malvertising bought to several ad agencies (e.g. ZeroPark, ClickAdu, PropellerAds, HillTopAds) by a Traffer actor which I tag as NeutrAds. Their infection chain is now accepting/redirecting Microsoft Edge Browser as well.
Without big surprise a new exploit is included in the Flash bundle : nw27 >  CVE-2016-7200/7201.

NeutrAds redirect is now  accepting Edge traffic - 2017-01-14

Neutrino Embedding CVE-2016-7200/7201 - 2017-01-14
(Neutrino-v flash ran into Maciej ‘s Neutrino decoder )


Extracted CVE-2016-7200/7201  elements - 2017-01-14


Note: i did not get infection with
- Edge 25.10586.0.0 / EdgeHTML 13.10586
- Edge 20.10240.16384.0

Fiddler&Pcap : Neutrino-v_CVE-2016-72007201_170114.zip  (Password is malware)
Extracted exploits: Neutrino_2017-01-14.zip (Password is malware)

reveiled[.space|45.32.113.97 - NeutrAds Filtering Redirector
vfwdgpx.amentionq[.win|149.56.115.166 - Neutrino

Payload in that pass : Gootkit - b5567655caabb75af68f6ea33c7a22dbc1a6006ca427da6be0066c093f592610
Associated C2 :
buyyou[.org | 204.44.118.228
felixesedit[.com
fastfuriedts[.org
monobrosexeld[.org


So those days, in Asia you'll most probably get Cerber and in EU/NA you'll most probably get Gootkit
MISP : taxonomy illustrating some NeutrAds into Neutrino-v recorded activity (and post infection)
Kaixin:
2017-01-15 Finding by Simon Choi


CVE-2016-7200/7201 code fired by Kaixin - 2017-01-16
Fiddler : Kaixin_2017-01-16.zip (Password is malware)

Out of topic: payload in another pass (not fired by this exploit) was Blackmoon/Banbra 6c919213b5318cdb60d67a4b4ace709dfb7e544982c0e101c8526eff067c8332
Callback:
http://r.pengyou[.com/fcg-bin/cgi_get_portrait.fcg?uins=1145265195

http://67.198.186[.254/ca.php?m=525441744D5441744D6A63744E3055744D554D745130493D&h=437

Edits:
2016-11-10 - Adding information about mitigation on Edge
2016-11-14 - Adding Neutrino
2016-11-16 - Fixed the screenshot for Neutrino. Was stating CVE-2016-4117 was there. It's not
2016-11-16 - Adding Kaixin

Read More:
Three roads lead to Rome - Qihoo360 - 2016-11-29
Proof-of-Concept exploit for Edge bugs (CVE-2016-7200 & CVE-2016-7201) - Theori-io - 2017-01-04