2015-07-08 - Exploit Integration

CVE-2015-5119 (HackingTeam 0d - Flash up to and Exploit Kits

As we are all aware, a 0d (for which a patch is expected tomorrow) was part of the files leaked from the HackingTeam compromission.

As we were all expecting, integration in exploit kits was a matter of hours and it looks like Angler EK team is at it.

Angler EK :
[Got confirmation from Anton Ivanov ( Kaspersky )  that this is indeed HT 0d]
[Sad Edit 2015-07-09] NB : If you see no credits here, it's because despite what you might read here or there...there was absolutely no mention anywhere of this CVE in Angler at the time of the Tweet/Publishing. Dark souls are dark [/Sad Edit]

Angler EK successfully exploiting IE11, win7 x64 Flash

Sample in that pass : 061c086a4da72ecaf5475c862f178f9d
(Out of topic payload : Rioselx.A 8adbb946d84f34013719a7d13fa4b437 which interestingly grab Qadars ( 5efd70a7b9aecf388ae4d631db765d77) as 2nd Stage)

[Edit 2015-07-08
Angler EK is trying to avoid IDS changing URI pattern.
Angler EK changes landing pattern drastically
Here are some :

Files: Fiddler  (password is malware)

Neutrino :
As spotted by Malwarebytes

Neutrino successfully exploiting IE11, Win7x64, Flash

Sample in that pass : 6d14ba5c9719624825fd34fe5c7b4297
(out of topic payload : bunitu bfc1801adf55818b7b08c5cc064abd0c )
Files: Fiddler (password is malware)

Nuclear Pack :

Nuclear Pack successfully exploiting IE11, Win7x64, Flash
Sample in that pass :  16ac6fc55ab027f64d50da928fea49ec
(Out of topic payload : Troldesh.a : 2e67ccdd7d6dd80b248dc586cb2c4843 )
Files: Fiddler (password is malware)

[Edit 2015-07-08]
Patch is Available
Flash fixing CVE-2015-5119 is out.
Right now you're safe on all previously mentioned EK with it.
[/edit 2015-07-08]

Magnitude :

Flash exploited via CVE-2015-5119 in Magnitude
2015-08-08 (after Patch)
Sample in that pass : 313cf1faaded7bbb406ea732c34217f4
Out of topic dropped: 5b85fae87c02c00c0c78f70a87e9e920 most probably Cryptowall)
Files: Fiddler (password is malware)


Flash exploited via CVE-2015-5119 by RIG
2015-08-09 (after Patch)
Sample in that pass : 6f64187b221b1b7d570fdd70900b8c17
(Out of topic payload:  195ce14e97761accda3d32dba0219f02 Cryptowall but you could have guess by the pattern of what i think are stolen from customer loads)
Files : Fiddler (password is malware)

Hanjuan :
Most probably before patch.
The following instance is operated by the same group who introduced CVE-2015-0313 in December.
They are doing some micro geo-targeting in the US it seems making them not that easy to catch.
Flash exploited via CVE-2015-5119 by Hanjuan
2015-08-09 (after Patch - but introduction of the exploit is older for sure)
Sample in that pass: 8731d5f453049e2df7e781d43fdcf0cb
(Out of topic payload : it's bedep in Fileless grabbing same AdFraud than in January)
Files : Fiddler (password is malware)

NullHole :
(see this post for more info about NullHole)

Flash exploited via CVE-2015-5119 by NullHole
Sample in that pass:  f27059fc817de6a5840d0b064921b54f
(out of topic payload : 9421b8b31ace48daafc31fd56af19cc9 )
Files :  Fiddler (Password is malware)

Read More :
Leaked Flash zero-day likely to be exploited by attackers - 2015-07-07 Symantec
(Google Translate) : Hacking Team attack code analysis Part 1: Flash 0day - 2015-07-07  - 360 Security
PSA: Flash Zero-Day Now Active in The Wild - 2015-07-07 - Malwarebytes

Post Publication Readings :
CVE-2015-5119 Flash ByteArray UaF: A beginner’s walkthrough - 2015-09-24 - PortCullis Labs
Sednit APT Group Meets Hacking Team - 2015-07-10 - Eset
Hacking Team Flash Zero-Day Integrated Into Exploit Kits - 2015-07-07 - TrendMicro
APT Group UPS Targets US Government with Hacking Team Flash Exploit - 2015-07-10 Palo Alto