2015-03-20 - Exploit Integration

CVE-2015-0336 (Flash up to 16.0.0.305) and Exploit Kits



As reported by Malwarebytes and FireEye, Nuclear Pack is now taking advantage of a vulnerability patched with the last version of Flash Player ( 17.0.0.134 )


Nuclear Pack : Thanks @TimoHirvonen for CVE identification
Appeared there in the morning of 2015-03-19 with this sample : cff213130ade23a2d03423305cff0639.


CVE-2015-0336 fired by Nuclear Pack
2015-03-20

Nuclear Pack is Firing both CVE-2015-0311 and CVE-2015-0336 depending on the instance you land on. The CVE-2015-0336 has rotated today :
c316dc31b8d4f85e655e15aa75c7b999 and later:
8c129a72b64580e0d1cf4d1e2324eb0f

Fiddler pushed to VT : Here

2015-03-20 - 17h rewording to avoid confusion. The two Flash CVE are not in the same sample.
NB : the exploit does not seems really reliable. I won't detail for obvious reasons.

Angler EK:
Spotted the 2015-03-24
Note : it's not in all instances.  Thanks @TimoHirvonen for CVE confirmation
Angler EK successfully exploiting CVE-2015-0336 - 2015-03-24
Samples is : 56827d66a70fb755967625ef6f002ad9
Fiddler pushed to VT: Here  (note : password is malware)
Edit : 2015-03-27 now fired in all Angler EK instances.
Edit2: already there on the 2015-03-20  according to FireEye (see comments)

Magnitude :
Spotted the 2015-03-27
Thanks Anton Ivanov ( Kaspersky ) for CVE confirmation.
Magnitude successfully exploiting CVE-2015-0336 - 2015-03-27
Sample was : d5707ffdeb966d17620951afc4840771c8ae32cb477c87d697d0261eea44fcb3
Fiddler pushed to VT: Here  (note : password is malware)
Want the cryptowall ?
f0367ed57fcb871fce54aacfc4308235c8e2eb534939314f78f4442b0a61f149
Here (Owncloud).

Neutrino :
Spotted the 2015-04-02
Thanks Anton Ivanov ( Kaspersky ) for CVE identification

Neutrino firing CVE-2015-0336 2015-04-02
Sample is: 46fdf539e2b782c986ecca437d736f9a095c0e1a5de9549fb4052424d696c27b
Fiddler sent to VT : Here

Read More :
CVE-2015-0336 Nuclear EK - FireEye - 2015-03-19
Nuclear EK leverages recently patched Flash vulnerability - Malwarebytes - 2015-03-19

Post Publication Reading :
Understanding type confusion vulnerabilities: CVE-2015-0336 - 2015-06-18 - Jeong Wook Oh - Microsoft

EXPLOIT-KIT
Magnitude Nuclear Pack CVE-2015-0336 Neutrino Angler EK