2015-05-27 - Exploit Integration

CVE-2015-3090 (Flash up to 17.0.0.169) and Exploit Kits



As spotted by FireEye Angler EK is now exploiting CVE-2015-3090 patched with Flash 17.0.0.188

Angler EK :
2015-05-26

Only in few instances for now.
Angler EK successfully exploiting Flash 17.0.0.169 on Windows 7 running Internet Explorer 11
to push Bedep and an Adfraud module.
2015-05-27
Sample in that pass : 6cb6701ba9f78e2d2dc86d0f9eee798a
Fiddler sent to VT

Nuclear Pack :
2015-05-29

Thanks to Dan Caselden (FireEye), Timo Hirvonen (F-Secure) and Ladislav Janko (Eset) for CVE identification.
Nuclear Pack successfully exploiting  Flash 17.0.0.169 in Internet Explorer 11 on Windows 7
to push Andromeda
Sample in that pass : 9545257d3799f1b4d9cc00ae01a1b147
Fiddler sent to VT

Magnitude :
2015-05-29

Thanks to Anton Ivanov ( Kaspersky )  for CVE identification.
Magnitude exploiting Flash 17.0.0.169  to drop Cryptowall
2015-05-29
Sample in that pass : 645162c4eca4a8ec5a5d7d3f4f8b57fe
Fiddler sent to VT

Neutrino :
2015-06-01

Thanks to Anton Ivanov ( Kaspersky )  and Microsoft for CVE indentification.
Neutrino exploiting Flash 17.0.0.169 to drop Andromeda
2015-06-01 
Sample in that pass : 4e543ae5bafe9a1a1a8f6e8923c5d8a8
Fiddler sent to VT

RIG:

Thanks to Matt Oh (Microsoft ) for CVE id confirmation

RIG firing a flash containing code to exploit CVE-2015-3090
to drop Urausy (sic) 2015-06-06
Sample in that pass : 1471988ec0f4c15b0d3b4d728af080d9
Fiddler sent to VT.

Read more :
Angler EK Exploiting Adobe Flash CVE-2015-3090 - 2015-05-26 - Sai Omkar Vashisht, Corbin Souffrant, Yasir Khalid, Dan Caselden  - FireEye

Post Publication Reading :
Adobe Flash Player ShaderJob Buffer Overflow - 2015-06-19 - PacketStorm

EXPLOIT-KIT
Magnitude RIG Nuclear Pack Neutrino CVE-2015-3090 Angler EK