2015-02-11 - Exploit Integation

CVE-2015-0313 (Flash up to 16.0.0.296) and Exploit Kits

Reported by TrendMicro (2015-02-02), fixed with Adobe Flash Player 16.0.0.305, the code to exploit CVE-2015-0313 has been introduced in Hanjuan Exploit Kit at beginning of december 2014 according to Malwarebytes

Hanjuan is the name chosen by @MalwareSigs for an Exploit Kit he first reported on 2013-10-14.

I would say this pastebin from 2011 is already showing a traff/stats tuple from Hanjuan (or an ancestor).

pastebin from 2011 - Candidate for stats/traff link for Hanjuan ancestor

On the 2015-02-03, I captured a Fiddler of the live chain exploiting CVE-2015-0313 as spotted by Trendmicro in their telemetry.

Full chain to bedep via CVE-2015-0313 - 2015-02-03

So despite what Dailymotion is claiming here , their USA users were indeed affected by this "0day".
But this can happen to any company showing ads. A web advert is often the result of a long chain of trust...(as software/drivers in operating system...one fail, everyone fall).

The problem for me in that case is that Engage:BDR (delivery.first-impression.com) was totally aware that this specific customer (Caraytech group - e-planning.net ) was conditionally redirecting users to Hanjuan Exploit Kit.
I sent them a warning on 2014-12-12 and after not far from 80 mail exchanges till 2014-12-28, I decided to stop communicating with them as they were litigious and obviously not willing to stop the involved advert IDs. There were also many tweets from @BelchSpeak illustrating the issue.

You may now understand that tweet which is not exactly in line with my timeline.

(Note : I might ask for some help in case Engage:BDR decides to go the legal way against me because of this post - The irony : being more afraid from "legit" company than from guys converting coffee in malware activity)

This exploit without a surprise is now being rolled in other Exploit Kit and again no surprise Angler is the first one.

Angler :

2015-02-10

First spotted by @SecObscurity, CVE id confirmed by : Anton Ivanov ( Kaspersky )
Thanks Nathan Fowler for the Referer.

Angler EK successfully exploiting CVE-2014-6332 and CVE-2015-0313
2015-02-11

Sample : 7143b55441f5ba77ed7bba5c39a9a594cb59d8d1d826f1f6e7c1085b8a85cddd

Timo's (from F-Secure) comment on it :

Go home, Angler exploit kit, you're drunk - and you forgot to obfuscate your Flash exploit. pic.twitter.com/O1EZmlwrNq
— Timo Hirvonen (@TimoHirvonen) February 11, 2015

Commented Fiddler sent to VT

For who want the Necurs and Pony
(note : this pony that is around (in poke a mole mode)
[Right now : 02/11/2015 afraid.magicmotors.xyz [**] /news.php 37.59.5.218:80 ]
since at least october is most probably operated by the Bedep/Angler Team or a really close partner)

Flash EK :

Those are SWF (advert) to payload version.
2015-03-05 d3bd21c6cb2dee25609fcc7fea0145cf
Payload was :
108.61.50 .228 /20150313/bermengem.php.

File is here
Thanks for CVE Identification : Kaspersky and Timo Hirvonen from F-Secure

One more:
fa7c385f4da271782da8819def239e99
192.161.180 .246/art1103151/bermengem.php

Sweet Orange :
First occurence : 2015-02-26 - 41d3a202e5679571f3c760033393452c

Sweet Orange pushing QBot via CVE-2015-0313 2015-03-21
(that sample is inside SWT since 2015-03-11)

Files: Fiddler and Sample
Thanks to @SecObscurity for the Hint and Anton Ivanov ( Kaspersky ) for confirmation

Fiesta :
Spotted : 2015-03-31

Fiesta dropping Kovter via CVE-2015-0313 - 2015-03-31
(Fiesta Logo : Courtesy of Fox-IT)

Files : Fiddler and Sample (Password is Malware)
Thanks to @node5 from Emerging Threats for the Referer and @TimoHirvonen from F-Secure of CVE id confirmation.

Neutrino :
Spotted : 2015-04-02 Please see CVE-2015-0336 (Flash up to 16.0.0.305) and Exploit Kits

CVE-2015-0313 fired by Neutrino - 2015-04-02
Identification by Kaserspky (thanks)

Read More :
Analyzing CVE-2015-0313: The New Flash Player Zero Day - 2015-02-04 - Peter Pi - TrendMicro
A New Zero-Day of Adobe Flash CVE-2015-0313 Exploited in the Wild - 2015-02-03 - Ben Hayak - SpiderLabs
HanJuan EK fires third Flash Player 0day - 2015-02-03 - Malwarebytes Lab
Trend Micro Discovers New Adobe Flash Zero-Day Exploit Used in Malvertisements - 2015-02-02 - Peter Pi - TrendMicro
Shining some light on the ‘Unknown’ Exploit Kit - 2014-08-28 Jerome Segura - MalwareBytes
Unknown EK - 2013-10-14 - MalwareSigs

Post Publication Reading :
The latest Flash UAF Vulnerabilities in Exploit Kits - 2015-05-28 - Unit42 - Palo Alto