As reported by Malwarebytes and FireEye, Nuclear Pack is now taking advantage of a vulnerability patched with the last version of Flash Player ( 17.0.0.134 )


Nuclear Pack : Thanks @TimoHirvonen for CVE identification
Appeared there in the morning of 2015-03-19 with this sample : cff213130ade23a2d03423305cff0639.


CVE-2015-0336 fired by Nuclear Pack
2015-03-20

Nuclear Pack is Firing both CVE-2015-0311 and CVE-2015-0336 depending on the instance you land on. The CVE-2015-0336 has rotated today :
c316dc31b8d4f85e655e15aa75c7b999 and later:
8c129a72b64580e0d1cf4d1e2324eb0f

Fiddler pushed to VT : Here

2015-03-20 - 17h rewording to avoid confusion. The two Flash CVE are not in the same sample.
NB : the exploit does not seems really reliable. I won't detail for obvious reasons.

Angler EK:
Spotted the 2015-03-24
Note : it's not in all instances.  Thanks @TimoHirvonen for CVE confirmation
Angler EK successfully exploiting CVE-2015-0336 - 2015-03-24
Samples is : 56827d66a70fb755967625ef6f002ad9
Fiddler pushed to VT: Here  (note : password is malware)
Edit : 2015-03-27 now fired in all Angler EK instances.
Edit2: already there on the 2015-03-20  according to FireEye (see comments)

Magnitude :
Spotted the 2015-03-27
Thanks Kaspersky for CVE confirmation.
Magnitude successfully exploiting CVE-2015-0336 - 2015-03-27
Sample was : d5707ffdeb966d17620951afc4840771c8ae32cb477c87d697d0261eea44fcb3
Fiddler pushed to VT: Here  (note : password is malware)
Want the cryptowall ?
f0367ed57fcb871fce54aacfc4308235c8e2eb534939314f78f4442b0a61f149
Here (Owncloud - Sha).

Read More :
CVE-2015-0336 Nuclear EK - FireEye - 2015-03-19
Nuclear EK leverages recently patched Flash vulnerability - Malwarebytes - 2015-03-19
2

View comments

Loading