2015-10-29 - Exploit Integration

CVE-2015-7645 (Flash up to 19.0.0.207) and Exploit Kits



The CVE-2015-7645 has been fixed with Adobe Flash Player 19.0.0.226. Spotted in the wild (2015-10-13) in APT28's exploit kit by TrendMicro, this exploit was already reported 2 weeks before (2015-09-29) to Adobe by Natalie Silvanovich.


It has now made its way to Exploit Kit

Angler EK :
2015-10-29
CVE id confirmed by by Anton Ivanov ( Kaspersky )

Angler EK successfully exploiting Flash 19.0.0.207
2015-10-29
Flash sample in that pass : 4af57fb1c71bb9c1599371d48240ff36
Another sample : bea824974f958ac4efc58484a88a9c18
One more from the Poweliks instance : 0d72221d41eff55dcfd0da50cd1c545e


Not replayable fiddler sent to VT

Out of topic sample loaded by bedep :
5a60925ea3cc52c264b837e6f2ee915e Necurs
a9d5a9a997954f5421c94ac89d2656cd Vawtrak ( < that one was not expected in that infection path)

2016-03-12
Edge is now being served a landing and the flash being sent is targeting this CVE according to Kaspersky and Eset

Angler EK exploiting Flash 18.0.0.209 on Windows 10 (build 10240) through Edge
Fiddler : AnglerEK_Edge_18.0.0.209_2016-03-11.zip

Nuclear Pack:
2015-10-30
Nuclear Pack which has been playing with landing URI pattern lately has integrated it
CVE-2015-7645 in Nuclear Pack on 2015-10-30
Sample in that pass : f5dd2623ae871d58483bf14ec5d635e4

Out of topic payload : 0b3de2a8d838883e10a1d824d20fe95c Kelihos Loader (harsh02)
Fiddler sent to VT

Magnitude:
2015-11-10
Magnitude trying to exploit CVE-2015-7645
2015-11-10
Spotted sample : 21993dd3b943d935a9296aeff831cbb9 CVE id confirmed by Timo Hirvonen
No payload but the actor behind that thread would like to see you Cryptowalled. Update might come.

Spartan :
2015-11-12
Without surprise as Spartan is the work of the coder of Nuclear Pack.
Note : old version of Chrome <= 43.0.257 and Firefox < 38 seems to be falling as well

Spartan pushing Pony and Alphacrypt via CVE-2015-7645
2015-11-12

Sample in that pass : 1c074c862d3e25ec9674e6bd62965ad8  (another one: 66f34cd7ef06a78df552d18c729ae53c )
(out of topic payload : Pony: 29c940f9d0805771e9c7ec8a5939fa25 (45.63.71.12 /myadvert/autoget.php) and Cryptowall 74ebff4acc4ad9c2a2e665ff293c02e6  NB earlier today drops were Pony and Alphacrypt ) 
Fiddler sent to VT

Neutrino:
Most probably appeared 2015-10-16
Necurs being dropped by Neutrino via CVE-2015-7645
2015-11-17
Sample in that pass: 7dd9813ef635e98dd9585deaefecfcff
(Out of topic payload : Necurs a83a96e87e80adef1e4598a645f2918c )
Fiddler sent to VT  (You might want to read the detailed analysis by Trustave)

Read More :
Adobe Flash: Type Confusion in IExternalizable.writeExternal When Performing Local Serialization - 2015-09-29 - Natalie Silvanovich
New Adobe Flash Zero-Day Used in Pawn Storm Campaign Targeting Foreign Affairs Ministries - 2015-10-13 - Feike Hacquebord - Brooks Li - Peter Pi - TrendMicro
Latest Flash Exploit Used in Pawn Storm Circumvents Mitigation Techniques - 2015-10-16 - Peter Pi - TrendMicro

Post Publication Reading :
Neutrino Exploit Kit – One Flash File to Rule Them All - 2015-12-28 - Daniel Chechik and Anat Davidi - Spiderlabs/Trustwave

EXPLOIT-KIT
CVE-2015-7645 Angler Magnitude Nuclear Pack Spartan Exploit Kit