2015-08-11 - Exploit Integration

CVE-2015-2419 (Internet Explorer) and Exploits Kits

As published by FireEye Angler EK is now exploiting CVE-2015-2419 fixed with MS15-065

Angler EK :

It seems they might have started to work on that exploit as early as 2015-07-24 where some instances briefly used code to gather ScriptEngineVersion from redirected visitors :

Angler EK gathering ScriptEngineVersion data the fast way.
Today first pass i made was showing a new POST call and was successfully exploiting a VM that used to be safe to Angler.

CVE-2015-2419 successfully exploiting IE11 in windows 7
(Here bedep grabbing Pony and TeslaCrypt then doing some AdFraud)

I spent (too much ;) ) time trying to decode that b value in the POST reply.
Here are some materials :

- The landing after first pass of decoding and with some comments : http://pastebin.com/JQuyAXar

The post call is handled by String['prototype']['jjd'] , ggg is sent to Post data as well as the ScriptEngineVersion (in the shared pass : 17728 )

- The l() function handling the post : http://pastebin.com/hxZJwbaY
- The post data and reply after first pass of decoding : http://pastebin.com/raw.php?i=NWkU7CXr

Files : 2 Fiddlers (ScriptEngineVersion Gathering and successfull pass - use malware as password)

Thanks :
Horgh_RCE for his help

Magnitude :
( I am waiting for some strong confirmation on CVE-2015-2426 used as PrivEsc only here )

Magnitude successfully exploiting CVE-2015-2419 to push an elevated (CVE-2015-2426) Cryptowall on IE11 in Win7
As you can see the CVE-2015-2419 is a RIP of Angler EK's implementation (even containing their XTea key, despite payload is in clear)

Note : The CVE-2015-2426 seems to be used for privilege escalation only

Cryptowall dropped by Magnitude executed as NT Authority\system after CVE-2015-2426

and has been associated to flash Exploit as well.
Pass showing the privilege escalation has been associated to flash Exploit as well.

Files : CVE-2015-2419 pass (password: malware)
CVE-2015-5122 pass featuring CVE-2015-2426 (password : malware)

Thanks :
Horgh_RCE , EKWatcher and Will Metcalf for their help

Nuclear Pack:

Nuclear Pack exploiting IE11 in Win7 with CVE-2015-2419 to push TeslaCrypt
Files :  Fiddler (Password is malware)

Neutrino :
CVE Identification by Timo Hirvonen

Neutrino successfully exploiting CVE-2015-2419 on IE11 in Windows 7
(Out of topic payload : c7692ccd9e9984e23003bef3097f7746  Betabot)

Files: Fiddler (Password is malware)


RIG successfully exploiting CVE-2015-2419
(Out of topic payload : fe942226ea57054f1af01f2e78a2d306 Kelihos (kilo601)

Files : Fiddler (password is malware)

Hunter :
@hunter_exploit 2015-08-26

As spotted by Proofpoint Hunter EK has integrated CVE-2015-2419

Hunter Exploit Kit successfully exploiting CVE-2015-2419
Files : Fiddler (password is malware)

Kaixin :

Files: Fiddler here (password is malware)
( out of topic Payload : bb1fff88c3b86baa29176642dc5f278d firing PCRat/Gh0st ET rule 2016922 )

Sundown :
2016-07-06 - Thanks  Anton Ivanov (Kaspersky) for confirmation

Sundown successfully Exploiting CVE-2015-2419 - 2016-07-06
cmd into wscript into Neutrino-ish named / RC4ed Payload let think this is a Rip from Neutrino implementation

( Out of topic payload: bcb80b5925ead246729ca423b7dfb635 is a Netwire Rat )

Files : Sundown_CVE-2015-2419_2016-07-06 (password is malware)

Read More :
Hunter Exploit Kit Targets Brazilian Banking Customers - 2015-08-27 - Proofpoint
CVE-2015-2419 – Internet Explorer Double-Free in Angler EK - 2015-08-10 - Sudeep Singh, Dan Caselden - FireEye
2015-08-10 - ANGLER EK FROM SENDS BEDEP This pass shared by Brad from Malware-Traffic-Analysis is including the CVE-2015-2419
Generic bypass of next-gen intrusion / threat / breach detection systems - 2015-06-05 - Zoltan Balazs - Effitas
Post publication Reading :
Attacking Diffie-Hellman protocol implementation in the Angler Exploit Kit - 2015-09-08 Kaspersky