2015-10-29 - Exploit Integration
CVE-2015-7645 (Flash up to 19.0.0.207) and Exploit Kits
The CVE-2015-7645 has been fixed with Adobe Flash Player 19.0.0.226. Spotted in the wild (2015-10-13) in APT28's exploit kit by TrendMicro, this exploit was already reported 2 weeks before (2015-09-29) to Adobe by Natalie Silvanovich.
I reported the Flash 0-day (CVE-2015-7645) two weeks before it was found in the wild https://t.co/nYeAWRG5jO— Natalie Silvanovich (@natashenka) 16 Octobre 2015
It has now made its way to Exploit Kit
Angler EK :
2015-10-29
CVE id confirmed by by Anton Ivanov ( Kaspersky )
Angler EK successfully exploiting Flash 19.0.0.207 2015-10-29 |
Another sample : bea824974f958ac4efc58484a88a9c18
One more from the Poweliks instance : 0d72221d41eff55dcfd0da50cd1c545e
Not replayable fiddler sent to VT
5a60925ea3cc52c264b837e6f2ee915e Necurs
a9d5a9a997954f5421c94ac89d2656cd Vawtrak ( < that one was not expected in that infection path)
2016-03-12
Edge is now being served a landing and the flash being sent is targeting this CVE according to Kaspersky and Eset
Angler EK exploiting Flash 18.0.0.209 on Windows 10 (build 10240) through Edge |
Nuclear Pack:
2015-10-30
Nuclear Pack which has been playing with landing URI pattern lately has integrated it
CVE-2015-7645 in Nuclear Pack on 2015-10-30 |
Out of topic payload : 0b3de2a8d838883e10a1d824d20fe95c Kelihos Loader (harsh02)
Fiddler sent to VT
Magnitude:
2015-11-10
Magnitude trying to exploit CVE-2015-7645 2015-11-10 |
No payload but the actor behind that thread would like to see you Cryptowalled. Update might come.
Spartan :
2015-11-12
Without surprise as Spartan is the work of the coder of Nuclear Pack.
Note : old version of Chrome <= 43.0.257 and Firefox < 38 seems to be falling as well
Spartan pushing Pony and Alphacrypt via CVE-2015-7645 2015-11-12 |
Sample in that pass : 1c074c862d3e25ec9674e6bd62965ad8 (another one: 66f34cd7ef06a78df552d18c729ae53c )
(out of topic payload : Pony: 29c940f9d0805771e9c7ec8a5939fa25 (45.63.71.12 /myadvert/autoget.php) and Cryptowall 74ebff4acc4ad9c2a2e665ff293c02e6 NB earlier today drops were Pony and Alphacrypt )
Fiddler sent to VT
Neutrino:
Most probably appeared 2015-10-16
Necurs being dropped by Neutrino via CVE-2015-7645 2015-11-17 |
(Out of topic payload : Necurs a83a96e87e80adef1e4598a645f2918c )
Fiddler sent to VT (You might want to read the detailed analysis by Trustave)Read More :
Adobe Flash: Type Confusion in IExternalizable.writeExternal When Performing Local Serialization - 2015-09-29 - Natalie Silvanovich
New Adobe Flash Zero-Day Used in Pawn Storm Campaign Targeting Foreign Affairs Ministries - 2015-10-13 - Feike Hacquebord - Brooks Li - Peter Pi - TrendMicro
Latest Flash Exploit Used in Pawn Storm Circumvents Mitigation Techniques - 2015-10-16 - Peter Pi - TrendMicro
Post Publication Reading :
Neutrino Exploit Kit – One Flash File to Rule Them All - 2015-12-28 - Daniel Chechik and Anat Davidi - Spiderlabs/Trustwave