For this CVE referer to :

The first encounter I had with this CVE in exploit kit, was in the Sweet Orange from the actor pushing DarkShell via KR compromised website. The landing provided by @MalwareSigs the 2014-11-19 was already containing CVE-2014-6332

So this actor :
DarkShell pushed by Da Gong via CVE-2014-0515
that we saw moving to Sweet Orange :

Sweet Orange :

The URL pattern are different, but at a given time the modifications are similar on both...

Da Orangade firing CVE-2014-6332 and DarkShell Call back
GET http://98.126.249 .92:82/index.html
200 OK (text/html)

Sweet Orange Landing
A replace then a b64decode on the second b64 blob and we have :

CVE-2014-6332 in Sweet Orange
GET http://v.krtedun .com/sum.exe - DarkShell - fc1a3c9fc7a80e80109f1e2a32e2b057
200 OK (application/octet-stream)

Here a more "standard" Sweet Orange :

CVE-2014-6332 fired by Sweet Orange - And Betabot call back.
File :  You'll find a PCAP illustrating this here from (in this pcap the CVE-2014-6332 is in the first b64 blob)

Neutrino :

Neutrino Firing CVE-2014-6332 embedded in a flash

Please refer to this post : Neutrino : The come back !

Read More :

Neutrino : The come back ! - 2014-11-20
IBM X-Force Researcher Finds Significant Vulnerability in Microsoft Windows - 2014-11-11

Add a comment