2013-12-24 - Exploit Integration

CVE-2013-5329 integrated in Exploit Kits

Disclaimer :  I may hide informations if a CVE try seems broken.

Fast post that I will heavily edit later with details and other integration (if some).

Angler EK is not a Reveton dedicated EK anymore. After being adopted by the "ru:8080" team,

 I spotted another customer few days ago (will update with Screenshots and information on payloads)

Studying it I found that Angler EK has integrated a new Flash Exploit.
I can't tell for now which one. Best candidates were CVE-2013-5329 and CVE-2013-5330 as Flash 11.9.900.117 was successfully exploited. These exploits have been patched on 2013-11-12 (see: http://www.adobe.com/support/security/bulletins/apsb13-26.html ). Angler won't try to exploit Flash 11.9.900.152 and 170.

<edit1 2013-12-25>
Thanks Arseny Levin from SpiderLabs for defining the correct CVE, Chris Wakelin for decoding the RC4ed SWF  and Will Metcalf from Emerging Threats for additional inputs

I can now update the post with CVE-2013-5329.
More technical data to come later

One question...How did they get that code...
I guess 450k$ budget for exploits helps.

Angler EK: CVE-2013-5329 on Flash 11.9.900.117:

Flash 11.9.900.117 successfully exploited by CVE-2013-5329 in Angler EK

GET http://gpnmdatestamped.beachsidebridesblog.ca/qldamegim7
200 OK (text/html)

GET http://gpnmdatestamped.beachsidebridesblog.ca/4qldamegim7sek
200 OK (text/html) 

GET http://gpnmdatestamped.beachsidebridesblog.ca/3qldamegim7sek
200 OK (application/octet-stream) 9abb9b3736531370a07d2b5e3344bc5b

In some pass you may also get this :
GET http://gpnmdatestamped.beachsidebridesblog .ca/counter.php?v=win%2011%2C9%2C900%2C117&t=activex&o=windows%20xp
404 Not Found (text/html)

Raw :

GET http://hydrolyz-gewaehlte.beachsidebridesblog.com/counter.php?v=win%2011%2C9%2C900%2C117&t=activex&o=windows%20xp HTTP/1.1
Accept: */*
Accept-Language: en-US
x-flash-version: 11,9,900,117
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: hydrolyz-gewaehlte.beachsidebridesblog.com
Connection: Keep-Alive

Files : 2 flash. 1 fiddler

Sweet Orange : 2014-02-07

CVE-2013-5329 pass in Sweet Orange
2014-02-07 - Flash 11.9.900.117
GET http://nioxox.nodoclender .com:13014/demos/class/administration/novell.php?rssfeed=33
200 OK (text/html)

GET http://nioxox.nodoclender .com:13014/demos/class/administration/izUTRQ
200 OK (application/x-shockwave-flash) 5d7421708b3d752bd8cb63a11a7bcc0c

Piece of CVE-2013-5329 in Sweet Orange

GET http://rapido.callsphones .com:13014/voting.php?math=501&demos=150&popular=4&renew=81&forward=171&nav_m=165&subs=478&deals=151
200 OK (application/octet-stream) 8f68669ea7b665ce11a66462ba56fcc5 Plama HTTP Bot.

Note it seems CVE-2013-0634 is inside too.
Files : Fiddler, Flash, Sample   (owncloud via goo.gl)

Grandsoft : spotted 2014-02-10

Thanks @EKWatcher, @node5 and @TimoHirvonen for help.

Since few months it seems that targeted victims are only UA/RU and maybe one "customer" only (Payload : Russian ransomware)

GrandSoft and Flash Exploit

GET http://eliminated.hoqkd-kvqxhitchhikingpe .biz/episcopal.php
200 OK (text/html)

GrandSoft Landing : 2014-02-10
GET http://eliminated.hoqkd-kvqxhitchhikingpe .biz/jerrasimo.js
200 OK (application/x-javascript)

GET http://eliminated.hoqkd-kvqxhitchhikingpe .biz/Main.swf
200 OK (application/x-shockwave-flash) 
(same work as what has been seen in Sweet Orange - but could have been here before).

Piece of CVE-2013-5329 in GrandSoft flash Exploit : 2014-02-10

GET http://eliminated.hoqkd-kvqxhitchhikingpe .biz/50294/152647843
200 OK (text/html) d6bd005682c8d5128e2b1b0adceb4ac4 Russian Ransomware

Styx : 2014-03-09
The Angler sample from December has been added to a Styx instance.
CVE-2013-5329 successful pass in a Styx instance.
(the 0 size for payload is mistake see below)
http://etgsdf.maybe-fuck-google .info/kXAGNIVnwPCdI
http://etgsdf.maybe-fuck-google .info/kXAGNIVnwPCdI/i.html
http://etgsdf.maybe-fuck-google .info/kXAGNIVnwPCdI/mWrWbMIQu.html
http://etgsdf.maybe-fuck-google .info/kXAGNIVnwPCdI/AVqeKK.html
http://etgsdf.maybe-fuck-google .info/kXAGNIVnwPCdI/TGEClpEC.html
http://etgsdf.maybe-fuck-google .info/kXAGNIVnwPCdI/4qldamegim7sek.swf Sample grabbed from this blog.
http://etgsdf.maybe-fuck-google .info/kXAGNIVnwPCdI/3a8aqgdg7qedig.eot (Silverlight)
http://etgsdf.maybe-fuck-google .info/kXAGNIVnwPCdI/soft2.exe&h=71 Payload was: 513d14b5139a0e6d9d7a61c055522a71 (Citadel)