2015-01-29 - Exploit Integration

CVE-2015-0311 (Flash up to integrating Exploit Kits

Patched with Flash the CVE-2015-0311 has been first seen exploited by Angler EK ( 2015-01-20 ) , soon after used in "standalone" mode in huge malvert campaign (pushing either Reveton, either Bedep (doing adfraud and grabbing malware : Pony mostly from what I saw) )

CVE-2015-0311 used in standalone mode to drop Bedep grab Pony and perform adfraud
Here are some MD5 for the Standalone CVE-2015-0311 :

Here are some MD5 for the CVE-2015-0311 fired by Angler EK:
a956021a2a8b6351e94f11e4b799c97e - 2015-01-21 <- First spotted as it and shared.
cacd5a2271e204f3ce561cf3ca08d12c - 2015-01-22
7aff26e0ea8523c8086692a2f35fd20c - 2015-01-23
ea14f42ba6ff9f4b39158864ec98dd35 - 2015-01-25
8f45fdb14f81cd154090922769137387  - 2015-01-27  <- Once exploit extended to all Angler Threads
(Note: All were sent almost live to VT. Interestingly only one md5 leaked publicly before patch )

CVE-2015-0311 has been integrated today in RIG

RIG: 2015-01-29

[note that CVE-2014-6332 is in RIG as well. I'll update the associated post soon]
CVE id confirmed by Anton Ivanov ( Kaspersky )  (Thanks ! )
RIG successfully exploit Windows 8.1 IE11 Flash - 2015-01-29 using

Fiddler sent to VT. (Not shared here on purpose. No need to ask in comments : why ? break % is still too high).
Sample : 196467aa4e6e1c2a66b49d465d37f9b9
[Edit] First rotated sample after that post : 270c1ff742a50a13ae68d4c88b700017 [/Edit]

Fiesta: 2015-01-31

Fiesta successfully exploit Windows XP IE8 Flash  using CVE-2015-0311
Fiesta Logo courtesy of FoxIT.
Sample: d2406805f7f8da6e2ddbb93941624c08
Fiddler sent to VT

Nuclear Pack: 2015-02-01

Nuclear Pack successfully exploit Windows XP IE8 Flash  using CVE-2015-0311
Sample : 43ad5d1fb45567e44f463fe575888802
Fiddler sent to VT

Sweet Orange: 2015-02-05 (maybe few days before)

Only today in XP...maybe sent earlier to Windows7 / 8
I decided to take another look after tweets from @_MDL_

Sweet Orange firing exploit for CVE-2015-0311 - 2015-02-05
Sample : c0fcd4a0768ff179c5a1475f374f8149
Files: 2 fiddlers

Neutrino :

CVE identification by Anton Ivanov ( Kaspersky )
Neutrino firing his bundle of Sploit : 2015-02-06
Note: in this pass the Vawtrak payload is most probably CVE-2014-6332 load
Files : Neutrino_CVE-2015-0311 (fiddler, payload : Vawtrak_77)


CVE identification by Timo Hirvonen from F-Secure

Magnitude - CVE-2015-0311 exploited successfully - 2015-02-08
Sample : d633f7b693c011b1bc9d1aecfd83581d
Fiddler : Magnitude_CVE-2015-0311_2015-02-08

Read More:

A Different Exploit Angle on Adobe's Recent Zero-Day - 2015-01-27 -  Dan Caselden, Corbin Souffrant, James T. Bennett - FireEye
Top adult site xHamster involved in large malvertising campaign - 2015-01-27 - Malwarebytes Labs
Analyzing CVE-2015-0311: Flash Zero Day Vulnerability - 2015-01-26 Peter Pi - TrendMicro

Post Publication Reading :
The latest Flash UAF Vulnerabilities in Exploit Kits - 2015-05-28 - Unit42 - Palo Alto
Exploiting CVE-2015-0311: A Use-After-Free in Adobe Flash Player  - 2015-03-04 - Francisco Falcon - CoreSecurity
Exploiting CVE-2015-0311, Part II: Bypassing Control Flow Guard on Windows 8.1 Update 3 - 2015-03-25  - Francisco Falcon - CoreSecurity