2014-11-21 - Exploit Integration
CVE-2014-6332 (Internet Explorer) and Exploits Kits
For this CVE referer to :
http://technet.microsoft.com/security/bulletin/MS14-064
The first encounter I had with this CVE in exploit kit, was in the Sweet Orange from the actor pushing DarkShell via KR compromised website. The landing provided by @MalwareSigs the 2014-11-19 was already containing CVE-2014-6332
So this actor :
 |
| DarkShell pushed by 2014-09-28 |
The actor pushing DarkShell with GongDa via KR compromised websites has migrated to Sweet Orange.Somewhat unexpected. pic.twitter.com/rlMy5RsevJ
— kafeine (@kafeine) October 25, 2014 Sweet Orange :
The URL pattern are different, but at a given time the modifications are similar on both...
 |
| Da Orangade firing CVE-2014-6332 and DarkShell Call back 2014-11-19 |
200 OK (text/html)
 |
| Sweet Orange Landing 2014-11-19 |
A replace then a b64decode on the second b64 blob and we have :
 |
| CVE-2014-6332 in Sweet Orange 2014-11-19 |
GET http://v.krtedun .com/sum.exe - DarkShell - fc1a3c9fc7a80e80109f1e2a32e2b057
200 OK (application/octet-stream)
Here a more "standard" Sweet Orange :
 |
| CVE-2014-6332 fired by Sweet Orange - And Betabot call back. 2014-11-21 |
File : You'll find a PCAP illustrating this here
http://www.threatglass.com/malicious_urls/volumebass-com-2014-11-21 (in this pcap the CVE-2014-6332 is in the first b64 blob)
Neutrino :
 |
| Neutrino Firing CVE-2014-6332 embedded in a flash 2014-11-20 |
Please refer to this post : Neutrino : The come back !
Archie :
First spotted by Will Metcalf, here CVE-2014-6332 in Archie
 |
| CVE-2014-6332 - 2014-11-24 |
Fiddler here
Flash EK
 |
| Flash EK firing CVE-2014-6332 - 2014-12-13 Edit : 2014-12-21 - Kaspersky named what we were calling Andromedins or AndroKins : Chthonic |
NB : it's in RIG and Angler (2015-01-30 for last one).
Will update asap.
Read More :
Neutrino : The come back ! - 2014-11-20