2015-03-20 - Exploit Integration
CVE-2015-0336 (Flash up to 16.0.0.305) and Exploit Kits
As reported by Malwarebytes and FireEye, Nuclear Pack is now taking advantage of a vulnerability patched with the last version of Flash Player ( 17.0.0.134 )
Nuclear Pack : Thanks @TimoHirvonen for CVE identification
Appeared there in the morning of 2015-03-19 with this sample : cff213130ade23a2d03423305cff0639.
 |
| CVE-2015-0336 fired by Nuclear Pack 2015-03-20 |
Nuclear Pack is Firing both CVE-2015-0311 and CVE-2015-0336 depending on the instance you land on. The CVE-2015-0336 has rotated today :
c316dc31b8d4f85e655e15aa75c7b999 and later:
8c129a72b64580e0d1cf4d1e2324eb0f
Fiddler pushed to VT : Here
2015-03-20 - 17h rewording to avoid confusion. The two Flash CVE are not in the same sample.
NB : the exploit does not seems really reliable. I won't detail for obvious reasons.
Angler EK:
Spotted the 2015-03-24
Note : it's not in all instances. Thanks @TimoHirvonen for CVE confirmation
 |
| Angler EK successfully exploiting CVE-2015-0336 - 2015-03-24 |
Fiddler pushed to VT: Here (note : password is malware)
Edit : 2015-03-27 now fired in all Angler EK instances.
Edit2: already there on the 2015-03-20 according to FireEye (see comments)
Magnitude :
Spotted the 2015-03-27
Thanks Anton Ivanov ( Kaspersky ) for CVE confirmation.
 |
| Magnitude successfully exploiting CVE-2015-0336 - 2015-03-27 |
Fiddler pushed to VT: Here (note : password is malware)
Want the cryptowall ?
f0367ed57fcb871fce54aacfc4308235c8e2eb534939314f78f4442b0a61f149
Here (Owncloud).
Neutrino :
Spotted the 2015-04-02
Thanks Anton Ivanov ( Kaspersky ) for CVE identification
 |
| Neutrino firing CVE-2015-0336 2015-04-02 |
Fiddler sent to VT : Here
Read More :
CVE-2015-0336 Nuclear EK - FireEye - 2015-03-19
Nuclear EK leverages recently patched Flash vulnerability - Malwarebytes - 2015-03-19
Post Publication Reading :
Understanding type confusion vulnerabilities: CVE-2015-0336 - 2015-06-18 - Jeong Wook Oh - Microsoft