Reported by TrendMicro (2015-02-02), fixed with Adobe Flash Player 184.108.40.2065, the code to exploit CVE-2015-0313 has been introduced in Hanjuan Exploit Kit at beginning of december 2014 according to Malwarebytes
Hanjuan is the name chosen by @MalwareSigs for an Exploit Kit he first reported on 2013-10-14.
I would say this pastebin from 2011 is already showing a traff/stats tuple from Hanjuan (or an ancestor).
|pastebin from 2011 - Candidate for stats/traff link for Hanjuan ancestor|
On the 2015-02-03, I captured a Fiddler of the live chain exploiting CVE-2015-0313 as spotted by Trendmicro in their telemetry.
|Full chain to bedep via CVE-2015-0313 - 2015-02-03|
So despite what Dailymotion is claiming here , their USA users were indeed affected by this "0day".
But this can happen to any company showing ads. A web advert is often the result of a long chain of trust...(as software/drivers in operating system...one fail, everyone fall).
The problem for me in that case is that Engage:BDR (delivery.first-impression.com) was totally aware that this specific customer (Caraytech group - e-planning.net ) was conditionally redirecting users to Hanjuan Exploit Kit.
I sent them a warning on 2014-12-12 and after not far from 80 mail exchanges till 2014-12-28, I decided to stop communicating with them as they were litigious and obviously not willing to stop the involved advert IDs. There were also many tweets from @BelchSpeak illustrating the issue.
You may now understand that tweet which is not exactly in line with my timeline.
(Note : I might ask for some help in case Engage:BDR decides to go the legal way against me because of this post - The irony : being more afraid from "legit" company than from guys converting coffee in malware activity)
This exploit without a surprise is now being rolled in other Exploit Kit and again no surprise Angler is the first one.
2015-02-10First spotted by @SecObscurity, CVE id confirmed by : Anton Ivanov ( Kaspersky )
Thanks Nathan Fowler for the Referer.
|Angler EK successfully exploiting CVE-2014-6332 and CVE-2015-0313|
Timo's (from F-Secure) comment on it :
Go home, Angler exploit kit, you're drunk - and you forgot to obfuscate your Flash exploit. pic.twitter.com/O1EZmlwrNq
— Timo Hirvonen (@TimoHirvonen) February 11, 2015
Commented Fiddler sent to VT
For who want the Necurs and Pony
(note : this pony that is around (in poke a mole mode)
[Right now : 02/11/2015 afraid.magicmotors.xyz [**] /news.php 220.127.116.11:80 ]
since at least october is most probably operated by the Bedep/Angler Team or a really close partner)
Flash EK :
Those are SWF (advert) to payload version.
Payload was :
108.61.50 .228 /20150313/bermengem.php.
File is here
Thanks for CVE Identification : Kaspersky and Timo Hirvonen from F-Secure
Sweet Orange :
First occurence : 2015-02-26 - 41d3a202e5679571f3c760033393452c
|Sweet Orange pushing QBot via CVE-2015-0313 2015-03-21|
(that sample is inside SWT since 2015-03-11)
Thanks to @SecObscurity for the Hint and Anton Ivanov ( Kaspersky ) for confirmation
Spotted : 2015-03-31
|Fiesta dropping Kovter via CVE-2015-0313 - 2015-03-31|
(Fiesta Logo : Courtesy of Fox-IT)
Thanks to @node5 from Emerging Threats for the Referer and @TimoHirvonen from F-Secure of CVE id confirmation.
Spotted : 2015-04-02 Please see CVE-2015-0336 (Flash up to 18.104.22.1685) and Exploit Kits
|CVE-2015-0313 fired by Neutrino - 2015-04-02|
Identification by Kaserspky (thanks)
Read More :
Analyzing CVE-2015-0313: The New Flash Player Zero Day - 2015-02-04 - Peter Pi - TrendMicro
A New Zero-Day of Adobe Flash CVE-2015-0313 Exploited in the Wild - 2015-02-03 - Ben Hayak - SpiderLabs
HanJuan EK fires third Flash Player 0day - 2015-02-03 - Malwarebytes Lab
Trend Micro Discovers New Adobe Flash Zero-Day Exploit Used in Malvertisements - 2015-02-02 - Peter Pi - TrendMicro
Shining some light on the ‘Unknown’ Exploit Kit - 2014-08-28 Jerome Segura - MalwareBytes
Unknown EK - 2013-10-14 - MalwareSigs
Post Publication Reading :
The latest Flash UAF Vulnerabilities in Exploit Kits - 2015-05-28 - Unit42 - Palo Alto