2014-10-21

CVE-2014-0569 (Flash Player) integrating Exploit Kit





<this post has been edited multiple time to fix some error, bring some new elements. may still be changed >

My goal was to grab CVE-2014-0556 when i landed yesterday on Fiesta but according to  @TimoHirvonen it's CVE-2014-0569 fixed only 1 week ago that has been fired here. It's a really fast integration in Exploit Kit. I've been told it landed in Fiesta after its coder reversed the patch (in 2 days).

So you know what to do : Ensure Flash Player is up to date (15.0.0.189 - for IE10/IE11 user the patch to check is : KB3001237 )

Fiesta :



CVE-2014-0569 successfull pass in Fiesta EK
2014-10-21
Fiesta Logo Courtesy of FoxIT.


GET http://rvdcgyisqy.myftp .org/jjcv7antdqqollz6mqusrbwjcu3z1835zzuurupwvyxdsy
200 OK (text/html) 


"Relevant section from Fiesta landing page : http://pastebin.com/K4gbQWpS"  By Jason in comments

GET http://rvdcgyisqy.myftp .org/cp9ne2q/4f25f1a50659fee801500b0e540a50040053040e5253510e0152060357535850;150000;144
200 OK (application/x-shockwave-flash) 254690dd89055c46f1a60713dbc26965 
CVE-2014-0569

GET http://rvdcgyisqy.myftp .org/cp9ne2q/55cd3f2a4a3ae27c5645085f015d03500100555f0704025a0001575202040b04;7
200 OK (application/octet-stream) 2b74a966466d612b069161b4fdd0f775 Payload : Ropest (thx @Horgh_rce )

GET http://rvdcgyisqy.myftp
.org/cp9ne2q/55cd3f2a4a3ae27c5645085f015d03500100555f0704025a0001575202040b04;7;1
200 OK (text/html)


Files : Nothing Yet.
Fiddler sent to VT here : 9bb6292633f4eccd54aeb23ad3555507

Angler EK :

[Edit 2014-10-22 : It appears this could be another CVE (0558 or 0564 or something else killed by the last update) than CVE-2014-0569 - Am asking for help in figuring out]
[Edit 2014-11-25 : So the CVE here is in fact CVE-2014-8439 See post by F-Secure ]
CVE-2014-0569 (?) Flash Exploit fired by Angler EK - 2014-10-21
Followed by Bedep activity and a Zeus Variant
Edit 2014-11-25 - CVE-2014-8439
Edt 2014-12-21 - Kaspersky lab named that Zeus Variant : Chthonic
GET http://three.creziontyro .in/qsx0jugfgk
200 OK (text/html) After first pass of deobfuscation http://pastebin.com/tnRKArFz (thx as always to @EKWatcher ) Update coming later maybe.

GET http://three.creziontyro .in/J-XQctybYriag-bOGIcSDh-HchIdpmXKk_M52H6bO6Y7NsJMsSIWWvNTG-R0tdBR
200 OK (application/x-shockwave-flash) d54a6cca8b6b52f6ed47769ba6397444 CVE-2014-xxxx

GET http://three.creziontyro .in/KxYioLx6A_QJguVdGPUpkrc6lJWbIWICBCyS8LR7X3pDLnTugBkW7GVC1vXjAtFj
200 OK (application/octet-stream)  Stream containing Shellcode and Bedep.

Target Payload : 831098a9d8db43bebf3d6ee67914888d  Kins Variant (Thanks to @maciekkotowicz who wrote about it on Kernelmode)

Files: Fiddler sent to VT here : 6c0cd2dae5c43f92d86411977bb28b08

Astrum EK:

So Astrum is owning Flash 15.0.0.152. It seems the same undefined CVE (fixed 10 days ago by the  last Flash Player patch ) in Angler EK is being used here as well.

[Edit 2014-11-25 : The CVE here is in fact CVE-2014-8439  See post by F-Secure  ]


Astrum EK exploiting Flash 15.0.0.152 to push Miuref AdFraud
2014-10-24
Edit 2014-11-25 - CVE-2014-8439

(Once again...Sorry I do not have enough time yet to study this in details)

GET http://b.kok44 .com/qtzscn6d2vyrp.html
200 OK (text/html)

POST http://b.kok44 .com/nlPPOoTJIWP0MPcC66tPW6E881Kxrk4JpG3zUe7-T16vY_BTuvYfUu118wO64AEI8g..
404 Not Found (text/html)

GET http://b.kok44 .com/qtzscn6d2vyrp.html
200 OK (text/html)

POST http://b.kok44 .com/YYclWjoL_Ppe6BRhUmbCkQ7uSWFZaMeRW-0UZ1I9lZYMvEtmAjeXkRKhGWMEItyRDQ..
200 OK (text/html)

GET http://b.kok44 .com/iajJ15EwZW62x_js-V1bBebBpezyU14Fs8L46vkGDALkk6frqQwOBfqO9eysGUUF5Q..
200 OK (application/x-shockwave-flash)  99a8b37fcd995f859e2b7e22ce8fe72b CVE-2014-05xx ??

GET http://b.kok44 .com/pYU3o8dIJ8ma6gaYryUZosrsW5ikKxyin-8Gnq9-TqXIvlmf_3RMotajC5j1YQeiyQ..  After deobfuscation ; 3ef89107362630d2ad56e7bef5a717fc Miuref AdFraud (cf form. Partnerka.me)
200 OK (application/octet-stream)

Files: Nothing Yet.
Fiddler sent to VT here : 5e9abc8ef40bb98afb00e40f12958919

Sweet Orange :


A pass with Firefox and flash 15.0.0.152 seems to confirm that.  CVE-2014-0569 confirmed by Kaspersky. Simon Choi told me he also got a successful pass with  IE 11 / flash 15.0.0.167 on Windows 8.




GET http://pirat.svanager.wielun .pl:8080/elements/film.php?london=274412&desktop=209908&advocacy=17&bloggers=22666&free=56481&articles=178642&other=287691
200 OK (text/html)

GET http://pirat.svanager.wielun .pl:8080/elements/xrbolXSHx
200 OK (application/x-shockwave-flash) 6d5591ef4d3ddb1c0b47d52a58e36036


GET http://pirat.svanager.wielun.pl:8080/backup.php?lang=1341&topics=12&voip=505&myguest=1251&math=1377&down=2386&game=2511
200 OK (application/octet-stream) Kovter bc8e0c39cc66da9c2caee65bd3a70882

Files: Soon. After Nuclear Pack integration.

Flash EK :

CVE-2014-0569 fired by a "full" Flash EK on 2014-10-28


GET http://tinsinarbetrab .eu/xs3884y132186/index.php
200 OK (text/html)

GET http://tinsinarbetrab .eu/xs3884y132186/js/swfobject.js
200 OK (application/javascript)

GET http://tinsinarbetrab .eu/xs3884y132186/banner.swf
200 OK (application/x-shockwave-flash) Filtering advert 8124c71afe59779e181c52857f990103



POST http://tinsinarbetrab .eu/xs3884y132186/gate.php
200 OK (text/html)

GET http://tinsinarbetrab .eu/xs3884y132186/Main.swf
200 OK (application/x-shockwave-flash) 93bd68ff7112244d19030d360e9b2108 CVE-2014-0569 identified by Timo Hirvonen


GET http://tinsinarbetrab .eu/xs3884y132186/lofla1.php
200 OK (application/octet-stream) Necurs 96f0f62f798987fb0dd3427182775ef7

Files: Soon.

RIG :

Successfull pass in RIG for CVE-2014-0569
2014-11-06
(inside since : 2014-11-04)
GET http://blog.dwightdavisarchitect .net/?PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|YTUyZTE1NjA3NGM0NGQzNmJiMTg4ZDZkNjVmMWE2YTA
200 OK (text/html)

GET http://blog.dwightdavisarchitect .net/index.php?req=swf&num=174&PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|YTUyZTE1NjA3NGM0NGQzNmJiMTg4ZDZkNjVmMWE2YTA
200 OK (application/x-shockwave-flash)  28edb6d99e80823b22b28c7d6fb5106999d7df4365d547c64b7dfd4973cb95a0 CVE-2014-0569. Confirmation by Kaspersky Lab.

GET http://blog.dwightdavisarchitect .net/index.php?req=mp3&num=72237&PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg%7CYTUyZTE1NjA3NGM0NGQzNmJiMTg4ZDZkNjVmMWE2YTA
200 OK (application/x-msdownload)  <- Glupteba.

File: RIG_2014-11-06.zip (Owncloud)

Nuclear Pack :

Same exploit as in Astrum according to @TimoHirvonen
[Edit 2014-11-25 : the CVE here is in fact CVE-2014-8439 See post by F-Secure  ]
Nuclear Pack exploiting Flash 15.0.0.152 to push Kelihos Loader
Edit 2014-11-25 - CVE-2014-8439
GET http://mienzamicherdoekno .co.vu/61c4895bc2uuv.html
200 OK (text/html)

Piece of code to filter flash version on decoded landing
http://pastebin.com/BFxrTZiF
GET http://mienzamicherdoekno .co.vu/f285e22b4bcac2uuv/1415616660
200 OK (application/octet-stream) - e5dc40303049ecbffabfd47fc4b92809

Despite the debug string, according to Timo and Kaspersky, as in Astrum and Angler EK, it's not CVE-2014-0569




GET http://mienzamicherdoekno .co.vu/f285e22bc2uuv/1415616660/7
200 OK (application/octet-stream) - 275bcc790883204f559852bd9a6e74f4 Kelihos Loader

GET http://mienzamicherdoekno.co.vu/f285e22bc2uuv/1415616660/7/2
200 OK (application/octet-stream) Empty

Files: Nuclear Pack_2014-11-10.zip

Null Hole :

Call me Null Hole maybe?

Archie :
CVE- identification by Anton Ivanov ( Kaspersky ) (Thanks)
CVE-2014-0569 fired by Archie
2014-11-18
Files : Fiddler&Flash  (password is : malware)

Magnitude :

Thanks Timo Hirvonen for CVE identification and Will Metcalf and EKWatcher for allowing that pass.
Magnitude successfully firing  CVE-2014-8439 ("downgraded") against flash 15.0.0.152
2014-12-03
Sample: f5e3ce7da019cf38dc3982f9f323aee2

Files: Fiddler and Flash : Magnitude_2014-12-03.zip

Post publication Readings :
Cracking the CVE-2014-0569 nutshell - Chun Feng - Microsoft Protection Center - 2014-11-06

ยท
CVE-2014-8439 Archie Magnitude RIG Astrum EK CVE-2014-0569 Fiesta Angler EK NullHole Sweet Orange