<this post has been edited multiple time to fix some error, bring some new elements. may still be changed >

My goal was to grab CVE-2014-0556 when i landed yesterday on Fiesta but according to  @TimoHirvonen it's CVE-2014-0569 fixed only 1 week ago that has been fired here. It's a really fast integration in Exploit Kit. I've been told it landed in Fiesta after its coder reversed the patch (in 2 days).

So you know what to do : Ensure Flash Player is up to date ( - for IE10/IE11 user the patch to check is : KB3001237 )

Fiesta :

CVE-2014-0569 successfull pass in Fiesta EK
Fiesta Logo Courtesy of FoxIT.

GET http://rvdcgyisqy.myftp .org/jjcv7antdqqollz6mqusrbwjcu3z1835zzuurupwvyxdsy
200 OK (text/html) 

"Relevant section from Fiesta landing page : http://pastebin.com/K4gbQWpS"  By Jason in comments

GET http://rvdcgyisqy.myftp .org/cp9ne2q/4f25f1a50659fee801500b0e540a50040053040e5253510e0152060357535850;150000;144
200 OK (application/x-shockwave-flash) 254690dd89055c46f1a60713dbc26965 

GET http://rvdcgyisqy.myftp .org/cp9ne2q/55cd3f2a4a3ae27c5645085f015d03500100555f0704025a0001575202040b04;7
200 OK (application/octet-stream) 2b74a966466d612b069161b4fdd0f775 Payload : Ropest (thx @Horgh_rce )

GET http://rvdcgyisqy.myftp
200 OK (text/html)

Files : Nothing Yet.
Fiddler sent to VT here : 9bb6292633f4eccd54aeb23ad3555507

Angler EK :

[Edit 2014-10-22 : It appears this could be another CVE (0558 or 0564 or something else killed by the last update) than CVE-2014-0569 - Am asking for help in figuring out]
CVE-2014-0569 (?)  fired by Angler EK - 2014-10-21
Followed by Bedep activity and a Zeus Variant
GET http://three.creziontyro .in/qsx0jugfgk
200 OK (text/html) After first pass of deobfuscation http://pastebin.com/tnRKArFz (thx as always to @EKWatcher ) Update coming later maybe.

GET http://three.creziontyro .in/J-XQctybYriag-bOGIcSDh-HchIdpmXKk_M52H6bO6Y7NsJMsSIWWvNTG-R0tdBR
200 OK (application/x-shockwave-flash) d54a6cca8b6b52f6ed47769ba6397444 CVE-2014-xxxx

GET http://three.creziontyro .in/KxYioLx6A_QJguVdGPUpkrc6lJWbIWICBCyS8LR7X3pDLnTugBkW7GVC1vXjAtFj
200 OK (application/octet-stream)  Stream containing Shellcode and Bedep.

Target Payload : 831098a9d8db43bebf3d6ee67914888d  Kins Variant (Thanks to @maciekkotowicz who wrote about it on Kernelmode)

Files: Nothing Yet.
 Fiddler sent to VT here : 6c0cd2dae5c43f92d86411977bb28b08

Astrum EK:

So Astrum is owning Flash It seems the same undefined CVE (fixed 10 days ago by the  last Flash Player patch ) in Angler EK is being used here as well.

Astrum EK exploiting Flash to push Miuref AdFraud

(Once again...Sorry I do not have enough time yet to study this in details)

GET http://b.kok44 .com/qtzscn6d2vyrp.html
200 OK (text/html)

POST http://b.kok44 .com/nlPPOoTJIWP0MPcC66tPW6E881Kxrk4JpG3zUe7-T16vY_BTuvYfUu118wO64AEI8g..
404 Not Found (text/html)

GET http://b.kok44 .com/qtzscn6d2vyrp.html
200 OK (text/html)

POST http://b.kok44 .com/YYclWjoL_Ppe6BRhUmbCkQ7uSWFZaMeRW-0UZ1I9lZYMvEtmAjeXkRKhGWMEItyRDQ..
200 OK (text/html)

GET http://b.kok44 .com/iajJ15EwZW62x_js-V1bBebBpezyU14Fs8L46vkGDALkk6frqQwOBfqO9eysGUUF5Q..
200 OK (application/x-shockwave-flash)  99a8b37fcd995f859e2b7e22ce8fe72b CVE-2014-05xx ??

GET http://b.kok44 .com/pYU3o8dIJ8ma6gaYryUZosrsW5ikKxyin-8Gnq9-TqXIvlmf_3RMotajC5j1YQeiyQ..  After deobfuscation ; 3ef89107362630d2ad56e7bef5a717fc Miuref AdFraud (cf form. Partnerka.me)
200 OK (application/octet-stream)

Files: Nothing Yet.
Fiddler sent to VT here : 5e9abc8ef40bb98afb00e40f12958919


View comments