Reported by TrendMicro (2015-02-02), fixed with Adobe Flash Player, the code to exploit CVE-2015-0313 has been introduced in Hanjuan Exploit Kit at beginning of december 2014  according to Malwarebytes

Hanjuan is the name chosen by @MalwareSigs for an Exploit Kit he first reported on 2013-10-14.

I would say this pastebin from 2011 is already showing a traff/stats tuple from Hanjuan (or an ancestor).

 pastebin from 2011 - Candidate for stats/traff link for Hanjuan ancestor

On the 2015-02-03, I captured a Fiddler of the live chain exploiting CVE-2015-0313 as spotted by Trendmicro in their telemetry.

Full chain to bedep via CVE-2015-0313 - 2015-02-03

So despite what Dailymotion is claiming here , their USA users were indeed affected by this "0day".
But this can happen to any company showing ads. A web advert is often the result of a long chain of trust...(as software/drivers in operating fail, everyone fall).

The problem for me in that case is that Engage:BDR ( was totally aware that this specific customer (Caraytech group - ) was conditionally redirecting users to Hanjuan Exploit Kit.
I sent them a warning on 2014-12-12 and after not far from 80 mail exchanges till 2014-12-28, I decided to stop communicating with them as they were litigious and obviously not willing to stop the involved advert IDs. There were also many tweets from @BelchSpeak illustrating the issue.

You may now understand that tweet which is not exactly in line with my timeline.

(Note : I might ask for some help in case Engage:BDR decides to go the legal way against me because of this post - The irony : being more afraid from "legit" company than  from guys converting coffee in malware activity)

This exploit without a surprise is now being rolled in other Exploit Kit and again no surprise Angler is the first one.

Angler :

First spotted by @SecObscurity, CVE id confirmed by : Kaspersky.
Thanks Nathan Fowler for the Referer.

Angler EK successfully exploiting CVE-2014-6332 and CVE-2015-0313
Sample : 7143b55441f5ba77ed7bba5c39a9a594cb59d8d1d826f1f6e7c1085b8a85cddd

Timo's (from F-Secure) comment on it :

Commented Fiddler sent to VT

For who want the Necurs and Pony
(note : this pony that is around (in poke a mole mode)
[Right now : 02/11/2015 [**] /news.php ]
since at least october is most probably operated by the Bedep/Angler Team or a really close partner)

Read More :
Analyzing CVE-2015-0313: The New Flash Player Zero Day - 2015-02-04 - Peter Pi - TrendMicro
A New Zero-Day of Adobe Flash CVE-2015-0313 Exploited in the Wild - 2015-02-03 - Ben Hayak - SpiderLabs
HanJuan EK fires third Flash Player 0day - 2015-02-03 - Malwarebytes Lab
Trend Micro Discovers New Adobe Flash Zero-Day Exploit Used in Malvertisements - 2015-02-02 - Peter Pi - TrendMicro
Shining some light on the ‘Unknown’ Exploit Kit - 2014-08-28 Jerome Segura - MalwareBytes
Unknown EK - 2013-10-14 - MalwareSigs


View comments