2013-01-26 - Evolution

New bullets (CVE-2012-0775 - CVE-2012-1889 - CVE-2012-1876(?) - CVE-2012-4792) in "Cool EK" Weapon


Once again guys behind the Cool EK are using (or trying to use) bullets never seen before in blind mass attack. The brand new one is :

snipshot from Mitre.org
CVE-2012-0775 :

"The JavaScript implementation in Adobe Reader and Acrobat 9.x before 9.5.1 and 10.x before 10.1.3 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors." CVE-2012-0775 on mitre.org
Thanks to Cert Lexsi for pointing me to the correct CVE and William Metcalf for confirming it.


After initiating "popular" usage of CVE-2011-3402 (Duqu like font drop), CVE-2012-5076, maybe CVE-2013-0422 ("new year 0 day"), Cool EK has integrated around 11th of January CVE-2012-1889, maybe CVE-2012-1876 (William Metcalf is not 100% sure but says all pieces are here for this CVE ) and maybe CVE-2012-4792.
(working on trying to remove those maybe)


Chris Wakelin's tweet after he noticed changes in the landing


Path over CVE-2012-1889, CVE-2012-1876(?), CVE-2012-4792(?) will look like :

GET http://5102ae6c0fb1c.adminhrservices .net/news/gardener.php
200 OK (text/html)
GET http://5102ae6c0fb1c.adminhrservices .net/news/pics/new.png
200 OK (application/x-msdownload)


One landing : http://pastebin.com/HRr2We2z
The "three IE CVE combo" deobfucated : http://pastebin.com/WXtgUHA6

Piece of what looks like CVE-2012-4792. Note the comment.
VIPOLNYAT ODNIM KUSKOM
(already there when spotted by Chris Wakelin)

ВЫПОЛНЯТЬ ОДНИМ КУСКОМ meaning "execute as holistic, unified code" (Thanks Aels)

CVE-2012-1889 part

Some part of what could be CVE-2012-1876


CVE-2012-1889/CVE-2012-1876/CVE-2012-4792 ShellCode after pylibemu
Thanks as always to Markus and Angelo for the great tools

By the way, writing about Cool EK one thing i never noticed before : it's using also the old MDAC.

 "его оставили потому как он не крешит браузер, не палится аверами так как нам удалось его вычистить, и на старом ИЕ6 до сих пор работает как надо" written by the author when announcing Blackhole update to 2.0.

"leave him because he does not crash, do not palitsya Avery because we managed to clean up, and the old IE6 is still working as it should"

Double payload via CVE-2011-3402 - CVE-2006-003
on an outdated VM

CVE-2006-0003 - MDAC vuln is there also

But here is what has motivated this post, since 2013/01/24 a new infection path appeared involving a third unknown (not the CVE-2010-0188 nor CVE-2009-0927) PDF 

CVE-2012-0775 :
Right now those PDF are nicely managed by Wepawet :

http://wepawet.iseclab.org/view.php?hash=f4319bad179b45c7da5eac95f570837d&type=js
http://wepawet.iseclab.org/view.php?hash=e676c9cc6787505f1ae6149d6349f103&type=js
http://wepawet.iseclab.org/view.php?hash=2dcbbb8fc05f7c13f483af7d43db432e&type=js


Adobe Reader version based conditions
(screenshot from Wepawet Analysis)


Enabler
(screenshot from Wepawet Analysis)

(screenshot from Wepawet Analysis)



I plan to add more data here later. I prefer not talking now about the results of all the tests that have been made.

One popup seen triggering those CVEs

We'll need a summary of all the CVE featured in this Exploit Kit.

For the payload on the Cool EK studied here, as usual, it's Reveton Ransomware, which has also changed recently according to Malekal


Reveton modification spotted by Malekal


Files :

6 pdfs almost similar protected with default public pass :
http://goo.gl/IuvKi (ownCloud)
http://goo.gl/cR91s (Mega)
136 reveton including last one with random filename:
http://goo.gl/ZCcsc (Mega)


Reading :
Crimeware Author Funds Exploit Buying Spree - 2013-01-07 - Brian Krebs - krebsonsecurity.com
Common Exploit Kits 2012 Poster - 2012-11-11 Mila - Contagio
Wild Wild West - 2012-23-10 - Kahu Security
An Overview of Exploit Packs (Update 17) October 12, 2012 - 2012-10-12 Mila - Contagio
More on Cool EK:
Big update for Cool EK - 2012-12-18
Cool-er Than Blackhole? - 2012-11-16 - Timo Hirvonen - F-Secure
CVE-2011-3402 and Cool Exploit Kit - 2012-11-28 - yomuds - a bunch of random security bits!
Cool EK : "Hello my friend..." CVE-2012-5076 - 2012-11-09
Cool Exploit Kit - A new Browser Exploit Pack with a "Duqu" like font drop - 2012-10-09


Post publication reading :
CVE-2012-1876: Recent update to the Cool Exploit Kit landing page - Justin Kim - Microsoft - 2013-05-08