2015-08-31 - Exploit Integration

CVE-2015-5560 (Flash up to 18.0.0.209) and Exploit Kits




Patched with flash version 18.0.0.232, CVE-2015-5560 is now being exploited by Angler EK.

Angler EK :
2015-08-29
[Edit : 2015-09-01] Exploit candidated by by Anton Ivanov ( Kaspersky ) as CVE-2015-5560 [/edit]
The exploit has been added the 28th. It's not being sent to Flash 18.0.0.232..
It uses the same Diffie-Hellman Key Exchange technique described by FireEye as in their CVE-2015-2419 implementation making a default fiddler unreplayable.

Angler EK pushing Bedep to Win7 IE11 Flash 18.0.0.209 - CVE-2015-5560
2015-08-29


Sample in that pass : 9fbb043f63bb965a48582aa522cb1fd0
Fiddler sent to VT (password is malware)
Note: with help from G Data, a replayable fiddler is available. No public share (you know how to get it).

Nuclear Pack :
2015-09-10
Additional post spotted on the 2015-09-10

Nuclear Pack additionnal post on 2015-09-10 showing integration of CVE-2015-5560 was on the road
and got a first payload  the day after :

Nuclear Pack successfully exploiting Flash 18.0.0.209 with CVE-2015-5560 (rip from Angler)
2015-09-11
Out of topic payload : 91b76aaf6f7b93c667f685a86a7d68de  Smokebot C&C  hostnamessimply1.effers .com: )
Files : Fiddler here (Password is malware)

Read More :
Adobe Flash: Overflow in ID3 Tag Parsing - 2015-06-12 Google Security Research
Three bypasses and a fix for one of Flash's Vector.<*> mitigations - 2015-08-19 - Chris Evans - Google Project Zero
CVE-2015-2419 – Internet Explorer Double-Free in Angler EK  - 2015-08-10 - FireEye
Bedep’s DGA: Trading Foreign Exchange for Malware Domains - 2015-04-21 - Dennis Schartz - Arbor Sert
Post publication reading :
Attacking Diffie-Hellman protocol implementation in the Angler Exploit Kit - 2015-09-08 Kaspersky
Analysis of Adobe Flash Player ID3 Tag Parsing Integer Overflow Vulnerability (CVE-2015-5560) - 2016-01-12 - Nahuel Riva - CoreSecurity

EXPLOIT-KIT
Nuclear Pack Flash 18.0.0.209 CVE-2015-5560 Angler EK