Reported by TrendMicro (2015-02-02), fixed with Adobe Flash Player 18.104.22.1685, the code to exploit CVE-2015-0313 has been introduced in Hanjuan Exploit Kit at beginning of december 2014 according to Malwarebytes
Hanjuan is the name chosen by @MalwareSigs for an Exploit Kit he first reported on 2013-10-14.
I would say this pastebin from 2011 is already showing a traff/stats tuple from Hanjuan (or an ancestor).
|pastebin from 2011 - Candidate for stats/traff link for Hanjuan ancestor|
On the 2015-02-03, I captured a Fiddler of the live chain exploiting CVE-2015-0313 as spotted by Trendmicro in their telemetry.
|Full chain to bedep via CVE-2015-0313 - 2015-02-03|
So despite what Dailymotion is claiming here , their USA users were indeed affected by this "0day".
But this can happen to any company showing ads. A web advert is often the result of a long chain of trust...(as software/drivers in operating system...one fail, everyone fall).
The problem for me in that case is that Engage:BDR (delivery.first-impression.com) was totally aware that this specific customer (Caraytech group - e-planning.net ) was conditionally redirecting users to Hanjuan Exploit Kit.
I sent them a warning on 2014-12-12 and after not far from 80 mail exchanges till 2014-12-28, I decided to stop communicating with them as they were litigious and obviously not willing to stop the involved advert IDs. There were also many tweets from @BelchSpeak illustrating the issue.
You may now understand that tweet which is not exactly in line with my timeline.
(Note : I might ask for some help in case Engage:BDR decides to go the legal way against me because of this post - The irony : being more afraid from "legit" company than from guys converting coffee in malware activity)
This exploit without a surprise is now being rolled in other Exploit Kit and again no surprise Angler is the first one.
2015-02-10First spotted by @SecObscurity, CVE id confirmed by : Kaspersky.
Thanks Nathan Fowler for the Referer.
|Angler EK successfully exploiting CVE-2014-6332 and CVE-2015-0313|
Timo's (from F-Secure) comment on it :
Go home, Angler exploit kit, you're drunk - and you forgot to obfuscate your Flash exploit. pic.twitter.com/O1EZmlwrNq
— Timo Hirvonen (@TimoHirvonen) February 11, 2015
Commented Fiddler sent to VT
For who want the Necurs and Pony
(note : this pony that is around (in poke a mole mode)
[Right now : 02/11/2015 afraid.magicmotors.xyz [**] /news.php 22.214.171.124:80 ]
since at least october is most probably operated by the Bedep/Angler Team or a really close partner)
Read More :
Analyzing CVE-2015-0313: The New Flash Player Zero Day - 2015-02-04 - Peter Pi - TrendMicro
A New Zero-Day of Adobe Flash CVE-2015-0313 Exploited in the Wild - 2015-02-03 - Ben Hayak - SpiderLabs
HanJuan EK fires third Flash Player 0day - 2015-02-03 - Malwarebytes Lab
Trend Micro Discovers New Adobe Flash Zero-Day Exploit Used in Malvertisements - 2015-02-02 - Peter Pi - TrendMicro
Shining some light on the ‘Unknown’ Exploit Kit - 2014-08-28 Jerome Segura - MalwareBytes
Unknown EK - 2013-10-14 - MalwareSigs