2013-12-24 - Exploit Integration
CVE-2013-5329 integrated in Exploit Kits
Disclaimer : I may hide informations if a CVE try seems broken.
Fast post that I will heavily edit later with details and other integration (if some).
Angler EK is not a Reveton dedicated EK anymore. After being adopted by the "ru:8080" team,
Cridex/Bugat not dead. Here pushed by ru:8080 in.... Angler EK (was Magnitude 29 before that and Blackhole /news/) pic.twitter.com/Z8cvZneOQ7
— kafeine (@kafeine) December 17, 2013 I spotted another customer few days ago (will update with Screenshots and information on payloads)Studying it I found that Angler EK has integrated a new Flash Exploit.
<edit1 2013-12-25>
Thanks Arseny Levin from SpiderLabs for defining the correct CVE, Chris Wakelin for decoding the RC4ed SWF and Will Metcalf from Emerging Threats for additional inputs
I can now update the post with CVE-2013-5329.
More technical data to come later
One question...How did they get that code...
I guess 450k$ budget for exploits helps.
</edit1>
Angler EK: CVE-2013-5329 on Flash 11.9.900.117:
 |
| Flash 11.9.900.117 successfully exploited by CVE-2013-5329 in Angler EK 2013-12-24 |
GET http://gpnmdatestamped.beachsidebridesblog.ca/qldamegim7
200 OK (text/html)
GET http://gpnmdatestamped.beachsidebridesblog.ca/4qldamegim7sek
200 OK (text/html)
GET http://gpnmdatestamped.beachsidebridesblog.ca/3qldamegim7sek
200 OK (application/octet-stream) 9abb9b3736531370a07d2b5e3344bc5b
In some pass you may also get this :
GET http://gpnmdatestamped.beachsidebridesblog .ca/counter.php?v=win%2011%2C9%2C900%2C117&t=activex&o=windows%20xp
404 Not Found (text/html)
Raw :
GET http://hydrolyz-gewaehlte.beachsidebridesblog.com/counter.php?v=win%2011%2C9%2C900%2C117&t=activex&o=windows%20xp HTTP/1.1
Accept: */*
Accept-Language: en-US
x-flash-version: 11,9,900,117
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: hydrolyz-gewaehlte.beachsidebridesblog.com
Connection: Keep-Alive
Files : 2 flash. 1 fiddler
Sweet Orange : 2014-02-07
 |
| CVE-2013-5329 pass in Sweet Orange 2014-02-07 - Flash 11.9.900.117 |
200 OK (text/html)
GET http://nioxox.nodoclender .com:13014/demos/class/administration/izUTRQ
200 OK (application/x-shockwave-flash) 5d7421708b3d752bd8cb63a11a7bcc0c
 |
| Piece of CVE-2013-5329 in Sweet Orange 2014-02-07 |
 |
| hugh?! |
200 OK (application/octet-stream) 8f68669ea7b665ce11a66462ba56fcc5 Plama HTTP Bot.
Note it seems CVE-2013-0634 is inside too.
Files : Fiddler, Flash, Sample (owncloud via goo.gl)
Grandsoft : spotted 2014-02-10
Thanks @EKWatcher, @node5 and @TimoHirvonen for help.
Since few months it seems that targeted victims are only UA/RU and maybe one "customer" only (Payload : Russian ransomware)
GET http://eliminated.hoqkd-kvqxhitchhikingpe .biz/episcopal.php
200 OK (text/html)
GET http://eliminated.hoqkd-kvqxhitchhikingpe .biz/jerrasimo.js
200 OK (application/x-javascript)
GET http://eliminated.hoqkd-kvqxhitchhikingpe .biz/Main.swf
200 OK (application/x-shockwave-flash) 95f3c853e1a7d28298decc3917b2f36d
(same work as what has been seen in Sweet Orange - but could have been here before).
Grandsoft : spotted 2014-02-10
Thanks @EKWatcher, @node5 and @TimoHirvonen for help.
Since few months it seems that targeted victims are only UA/RU and maybe one "customer" only (Payload : Russian ransomware)
 |
| GrandSoft and Flash Exploit 2014-02-10 |
GET http://eliminated.hoqkd-kvqxhitchhikingpe .biz/episcopal.php
200 OK (text/html)
 |
| GrandSoft Landing : 2014-02-10 |
200 OK (application/x-javascript)
GET http://eliminated.hoqkd-kvqxhitchhikingpe .biz/Main.swf
200 OK (application/x-shockwave-flash) 95f3c853e1a7d28298decc3917b2f36d
(same work as what has been seen in Sweet Orange - but could have been here before).
 |
| Piece of CVE-2013-5329 in GrandSoft flash Exploit : 2014-02-10 |
GET http://eliminated.hoqkd-kvqxhitchhikingpe .biz/50294/152647843
200 OK (text/html) d6bd005682c8d5128e2b1b0adceb4ac4 Russian Ransomware
Styx : 2014-03-09
The Angler sample from December has been added to a Styx instance.
http://etgsdf.maybe-fuck-google .info/kXAGNIVnwPCdI
http://etgsdf.maybe-fuck-google .info/kXAGNIVnwPCdI/i.html
http://etgsdf.maybe-fuck-google .info/kXAGNIVnwPCdI/mWrWbMIQu.html
http://etgsdf.maybe-fuck-google .info/kXAGNIVnwPCdI/AVqeKK.html
http://etgsdf.maybe-fuck-google .info/kXAGNIVnwPCdI/TGEClpEC.html
http://etgsdf.maybe-fuck-google .info/kXAGNIVnwPCdI/4qldamegim7sek.swf Sample grabbed from this blog.
http://etgsdf.maybe-fuck-google .info/kXAGNIVnwPCdI/3a8aqgdg7qedig.eot (Silverlight)
http://etgsdf.maybe-fuck-google .info/kXAGNIVnwPCdI/soft2.exe&h=71 Payload was: 513d14b5139a0e6d9d7a61c055522a71 (Citadel)
Styx : 2014-03-09
The Angler sample from December has been added to a Styx instance.
 |
| CVE-2013-5329 successful pass in a Styx instance. (the 0 size for payload is mistake see below) |
http://etgsdf.maybe-fuck-google .info/kXAGNIVnwPCdI/i.html
http://etgsdf.maybe-fuck-google .info/kXAGNIVnwPCdI/mWrWbMIQu.html
http://etgsdf.maybe-fuck-google .info/kXAGNIVnwPCdI/AVqeKK.html
http://etgsdf.maybe-fuck-google .info/kXAGNIVnwPCdI/TGEClpEC.html
http://etgsdf.maybe-fuck-google .info/kXAGNIVnwPCdI/4qldamegim7sek.swf Sample grabbed from this blog.
http://etgsdf.maybe-fuck-google .info/kXAGNIVnwPCdI/3a8aqgdg7qedig.eot (Silverlight)
http://etgsdf.maybe-fuck-google .info/kXAGNIVnwPCdI/soft2.exe&h=71 Payload was: 513d14b5139a0e6d9d7a61c055522a71 (Citadel)