2015-04-24 - Exploit Integration

CVE-2015-0359 (Flash up to and Exploit Kits

As spotted by FireEye on 2015-04-17, Angler EK is now taking advantage of a vulnerability patched with the last version of Flash Player ( )

[Edit : we are aware that the CVE featured in most Exploits kits has been patch with CVE-2015-0359 but is not the same vulnerability as 0359. This kind of event already happen in the past cf CVE-2014-8439 (vs CVE-2014-0569) , CVE-2015-0310 (vs CVE-2014-9162/9163) but in this case Adobe did not provide another CVE id ]

Angler EK :

Angler EK successfully exploiting CVE-2015-0359
Flash Sample from this pass : ff7685252e2a353b10543df90214f1a948a554947323b07078c18e9f6a810373
Fiddler sent to VT

"Standalone" Neutrino-ish :
Thanks to Malwarebytes Anti-Exploit team for referer
Thanks to Timo Hirvonen for CVE identification

Same CVE as Angler used in "Standalone" mode - 2015-04-27
IE11 - Win7 Flash

Traffic source : adxpansion on porn website
Sample (Viagra/Cialis badvert) : c14c1130796167bbe0172dda86adec4ff3dcc34a81451f285795b81c2abd4983
Fiddler : sent on VT

This drop a js in %temp% or %temp%\low that do the rc4 and call

wscript executing the js  in another case  Badvert : 
403cba4b81d235b5b53912c4b68995c7 (you can see the RC4 key used)

Note the 6 minutes sleep :)

Dropped malware : You can get them here.
Tofsee maybe : a29acacfc2b5e44cdbfb769ce9cf9ccf
Trapwot fake av (defender pro 2015) : 37cd5cb1ebabcb921fe20341c2a63fc4
Undefined : 2e297279f7d919e4e67464af91fb6516

Drops in %temp%

One more :

Neutrino-ish malvert 2015-04-30
cf :  https://twitter.com/BelchSpeak/status/593803410207612928
Fiddler sent to VT (password : malware)

Those drop were so "Neutrino-ish" that i decided to take a look at neutrino in same conditions and guess what :

Neutrino :
Thanks to Timo Hirvonen for CVE identification
Same CVE as Angler used in "Standalone" mode - 2015-04-27
IE11 - Win7 Flash

Sample : d7a44f7794f8f0ba972c41d30d1e47d3232b32b45292ac9c9c9d8d338814f3d3
Fiddler sent to VT

Nuclear Pack :
Thanks to TrendMicro for confirming CVE was the same as the one used in Angler EK

Nuclear Pack successfully exploiting Flash inside IE11 on Windows 7
to push Kelihos Loader (suba002)
NB: some Nuclear Pack instances are still only firing CVE-2015-0335.
Sample : 6eca6686bf2450d6251add82f5f5681e6c542575acf350f21efede628c6be6fe
Fiddler sent to VT

Thanks @TimoHirvonen for CVE confirmation.
RIG now

Sample was : a345a866f64fb61e482ead7e3b3979542381b579c6065ffd7e93bc23faefdd4c
Fiddler sent to VT

To those wondering why i do not give direct link to exploit patched less than one month ago, look at these stats shared by a user on underground :
RIG stats (mostly BR) shared by a user underground

Magnitude successfully exploiting CVE-2015-0359 to push Cryptowall and Zemot
Sample in that pass : 85e0f358c80e9013be2358e4ee11d90885d74f5b32d4cef710b76e0245631b26
Fiddler sent to VT

Logo Courtesy of Fox-IT
Fiesta firing CVE-2015-0359 (more like the real one accorting to @TimoHirvonen)
Sample in that pass : a78f2cd9233523141fc29960831947ad9f993e08680f2db10facf2ed93a7e94e
Fiddler sent to VT

Read more :
Latest Flash Exploit in Angler EK Might Not Really Be CVE-2015-0359 - 2015-04-22 - Peter Pi - TrendMicro
Angler EK Exploiting Adobe Flash CVE-2015-0359 with CFG Bypass - 2015-04-18 - Dan Caselden and Sai Omkar Vashisht - FireEye

Post Publication Reading :
Understanding Flash Exploitation and the Alleged CVE-2015-0359 Exploit - 2015-06-01 - Unit42 - Palo Alto
The latest Flash UAF Vulnerabilities in Exploit Kits - 2015-05-28 - Unit42 - Palo Alto