This is a fast post. I will update it heavily in the coming hours/days. Sorry for the resulting mess.
I spotted an instance of Angler EK which is sending three different bullets targeting Flash Player :
- Their "standard" CVE-2014-8440 - cb89e2da32a672a2b2bfea5b41f45ad5
- A fresh one (that is mentionned here and [edit 2015-01-22 : ] is a "downgraded" CVE-2015-0310 fixed by Flash 220.127.116.117) - 86ee0a34b6f9b57c732b1aa9f4c45575 which is striking Flash Player up to 18.104.22.168
- and a third one ( md5 not shared publicly sorry). Note : This exploit is not being used in all Angler instances. [ 2015-01-23 : CVE-2015-0311 - 2015-01-24 : Flash 22.214.171.1246 fix the issue.]
And it seems we have a problem with that third one :
|Angler EK exploiting last version (126.96.36.1997) of Flash Player 2015-01-21|
Disabling Flash player for some days might be a good idea.
As I know I will get a lot of questions and mail, here are some of the tests I made :
TL:DR Any version of Internet Explorer or Firefox with any version of Windows will get owned if Flash up to 188.8.131.527 (included) is installed and enabled.
[Edit : 2015-01-22 - 15:30 GMT+2]
I did not talk about Firefox earlier cause there was a decision tree error and Firefox was not receiving the expected bullet. So i thought not talking about it was the best option.
Now that they fixed it, know that Firefox last version is owned as well
Test made with :
- Windows XP, Firefox 35, Flash 184.108.40.2067
Mozilla/5.0 (Windows NT 5.1; rv:35.0) Gecko/20100101 Firefox/35.0
|Till this morning Firefox users were safe.|
Angler EK coders fixed the issue...and they are now under fire as well
- Windows XP, IE6 to 8 obviously. Flash 220.127.116.117
- Windows XP, IE6 to 8 Flash 18.104.22.1687 - 2015-01-22 (replayed in lab environnement) :
|Replayed session of Angler EK with Flash 22.214.171.1247 - 2015-01-22|
This version is Fixing another vulnerability
CVE-2015-0310 wrongly reported in this blog as CVE-9162/9163
- Windows 7, IE8 , Flash 126.96.36.1997 :
UA : Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
- Win 8 IE10 with Windows8-RT-KB3008925-x86 (Flash 188.8.131.52) -
UA : Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0)
- Win8 IE10 all updates (Flash 184.108.40.2067)
- Win8.1 IE11 all updates (flash 220.127.116.117) - 2015-01-22
UA : Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
|Fully Update windows 8.1 with Internet Explorer 11 up to date.|
Owned - 2015-01-22
- Chrome : They are not firing that bullet
UA: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.99 Safari/537.36
More tests ongoing. I will update.
In my opinion it's a little off topic..after flash exploitation they can do what they (multiple customer of the Exploit Kit) want and change it any time.
As I am getting a lot of question about it, i decided to add this part.
So the payload I got is Bedep which can have one or both of this functions : AdFraud, Malware loading.
This familly is the child of the group behind Angler EK and Reveton (and is fast replacing Reveton in many distribution path - We have seen this Ransomware -> AdFraud transition with Kovter as well, where some do Ransomware -> Banking (as did Qadars group) ) .
When it was first spotted (around september 2014) it was not persistent but there are now persistent version of it.
It's using the legit migsetup.exe to bypass UAC
Eight Days ago :
|Registry entries from the Persistent Bedep|
|Registry for the persistent Bedep|
Today in an XP VM :
Bedep is working in a Hidden Desktop
|Default0 is an Hidden Desktop created by bedep.|
|Bedep faking some browsing with a French IP here. Open many windows, scroll etc....|
I often monitor bedep traffic as it's a good source of referer for exploit kit.
Zombies are often brought to Magnitude, Sweet Orange, Archie etc.... You can even get a Cryptolocker or a CTB-Locker (critroni) via browsing made by bedep.
You are looking for Bedep traffic in your Network ?
Search for traffic with :
http://24x7searcher .com , http://global-game-search .me http://canopus-a7 .in, http://hot100games .in as referer (it's fake)
Search for call to :
Bedep C&C :
AdFraud C&C :
You may find this kind of reply :
HTTP/1.1 200 OK
Date: Thu, 22 Jan 2015 11:09:08 GMT
1|http://hot100games .in|http://canopus-a7 .in/redirect/b4d037973887c5c58701139a0088c424/|Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET CLR 1.1.4322; .NET4.0C; Tablet PC 2.0)|en-US|343
As i am being harassed by requests to test it, I endup installing Emet 5.1 and test it in live condition with Windows 8.1 32bits, Internet Explorer 11, Flash 18.104.22.1687
I don't know how to use it. I just did an install, use recommended Settings. Finish.
|Emet 5.1 after installation. Default Settings|
|Emet 5.1 spotting StackPivot and protecting the VM against the Flash Vuln|
[Edit : 2015-01-24]
You do not need an advanced weapon to effectively fire a Golden Bullet
Why bothering with an EK when you have CVE-2015-0311?Being used in standalone mode to spread Reveton on Adult Traffic pic.twitter.com/0a8JLzhOD7Asked in Comment : Sample pushed in that pass was : f9385217a5c03ecf9136ceca7e7d03d2
— Kafeine (@kafeine) January 24, 2015
[Edit : 2015-01-27]
The CVE-2015-0311 has been deployed to all Angler EK instances.
One Bedep Sample - Disclaimer : Sample are really fast rotating and there are x64 version as well.
Nothing else yet. But you know how to contact me.
Post Publication Reading ;
CVE-2015-0311 (Flash up to 22.214.171.1247) integrating Exploit Kits - 2015-01-29
A Different Exploit Angle on Adobe's Recent Zero-Day - 2015-01-27 - Dan Caselden, Corbin Souffrant, James T. Bennett - FireEye
Top adult site xHamster involved in large malvertising campaign - 2015-01-27 - Malwarebytes Labs
Analyzing CVE-2015-0311: Flash Zero Day Vulnerability - 2015-01-26 Peter Pi - TrendMicro
Adobe Security Bulletin - 2015-01-22
Websense for inputs allowing me to make additional live tests
As I want to thanks them for their Trust, I will shamelessly tell you that I tested it against the free version of Malwarebytes Anti Exploit (a product from one of my customer). They stopped it. Well done !