2015-07-11 - Exploit Integration

CVE-2015-5122 (HackingTeam 0d two - Flash up to 18.0.0.203) and Exploit Kits



Another 0d ( Patch expected in the coming week) was part of the files leaked from the HackingTeam compromission.

Code was fast disclosed, integrated to MetaSploit and as we were all expecting again, integration in Exploit Kits was a matter of hours.

Angler EK:
2015-07-11
Thanks Peter Pi from TrendMicro for CVE Id confirmation
Flash 18.0.0.203 exploited by Angler EK via CVE-2015-5122 in Firefox
2015-07-11
Sample in that pass : fcecd6b624bb50301a17d5aa423e135d
(out of topic payload : bedep calling additional malware [ 44ddbe75d4bca0097f84005969d5e671 Andromeda C&C : - adm-serv.com - 5.255.67.108 -- df1a4963f1b40592cf416b3b70980071 - pony news.php - 46f4b368a761d76a7f6d08cbfccd9ab6 Zeprox.B C&C 92.63.88.8]- and performing adfraud )

Files: Fiddler (password is malware)


Neutrino :
2015-07-13 (before patch)
Flash 18.0.0.203 exploited by Neutrino via CVE-2015-5122
2015-07-13 (before patch)
Sample in that pass : 31d03169b9742a0ff04e3d24bb448bbf
(out of topic payload : 0bc329730065f7eb8092203643964ca8 bunitu)
Files: Fiddler (password is malware)

Nuclear Pack:
2015-07-14 (few hours before patch)
Thanks by Anton Ivanov ( Kaspersky )  for CVE ID confirmation
Note : saw after publishing that it was already spotted by Brooks_Li from TrendMicro
Flash 18.0.0.203 exploited by Nuclear Pack via CVE-2015-5122
2015-07-14 (before patch)
Sample in that pass: 283b7b347c721349dd3d24e9dc7ee3be
(out of topic payload :  0d3390cb437ad7600fe0c532444af098 Troldesh.A ransomware)
Files: Fiddler (password is malware)

RIG :
2015-07-14 (few hours before patch)
As spotted by Brooks_Li  from TrendMicro

Flash 18.0.0.203 exploited by RIG via CVE-2015-5122
2015-07-14 (before patch)
Sample in that pass : 02e0bd1444f0f6304fcefe2219888cd0
(out of topic payload : 28031705eea28f6074e770a987cc85ec Betabot probably )
Files: Fiddler (password is malware)

Magnitude :
2015-07-15

Flash 18.0.0.203 exploited by Magnitude via CVE-2015-5122
2015-07-15 (after patch)
Sample in that pass : adc158116b27853bb6cc73913dad8ab7
(out of topic payloads : Cryptowall 2230489586461a1627a4e1360d70c7ed and  Cryptowall 9edf36d62fdd1ca7fcd99c191a83e701 )
Files: Fiddler (password is malware)

NullHole :
2015-07-22
(Edit : Once again i spotted severals hours after publication the tweet from Brooks_li )
Flash 18.0.0.203 exploited by NullHole via CVE-2015-5122
2015-07-22 (after patch)

Sample : here
(out of topic payload : 9eaa90742d09daeb3157c30a3b18da7a )
Files : Fiddler and Sample (password is malware)

Spartan :
2015-09-11
I faced that Spartan few hours after SonicWall wrote about it.
IMO it's the work of Nuclear Pack coder. (the xml and payload server are imo operated by that actor).
Spartan EK firing CVE-2015-5122 to drop Miuref
2015-09-12
Sample 7e8b025c5e557c90fca8c33151378430
Files: Fiddler (password is malware)

Read More :
CVE-2015-5122 - Second Adobe Flash Zero-Day in HackingTeam Leak - 2015-07-10 - Dhanesh Kizhakkinan - FireEye
Another Zero-Day Vulnerability Arises from Hacking Team Data Leak - 2015-07-11 - Peter Pi - TrendMicro
Spartan Exploit Kit (Sep 11th, 2015) - 2015-09-11 SonicWall Security Center