While other exploit kit are struggling to keep up with Angler (none is firing CVE-2015-8446 , maybe because of the Diffie-Hellman protection on Angler's exploits ),
- Nuclear / Magnitude and Neutrino last exploits are from October (CVE-2015-7645)- RIG and Sundown are relying on July exploits (Hacking Team's one - CVE-2015-5122)
( all have the IE CVE-2015-2419 from august)
Angler has just integrated CVE-2015-8651 patched with Flash 184.108.40.2060 on 2015-12-28
Angler EK : 2016-01-25
The exploit might be here since the 22 based on some headers modification which appeared that day.
It's not yet pushed in all Angler EK threads but widely spread.
Thanks Anton Ivanov (Kaspersky) for CVE Identification !
|CVE-2015-8651 (and CVE-2015-2419) being successfully exploited by Angler EK to load bedep in memory|
Another pass via the "noisy" Cryptowall "crypt13x" actor which threads also has it :
|CVE-2015-8651 being successfully exploited by Angler EK to load Cryptowall (crypt13001)|
from the widely spread and covered "crypt13x" actor thread - 2016-01-25
(Out of Topic payload : 5866906a303b387b9918a8d7f8b08a51 Cryptowall crypt13001 )
I have been told by Eset that the exploit is successful on Flash 220.127.116.11 and Firefox.
I spotted a thread serving a landing and an exploit to Firefox.
2016-03-23 Firefox pass with Sandbox escape :
|Angler EK exploiting CVE-2015-8651 on Firefox 33.1.1 and Flash 18.104.22.1685|
Bedep successfully wrote its payload on the drive.
Thanks Eset for identifying the added CVE here.
Neutrino Exploiting CVE-2015-8651 on 2016-02-09
Here Bunitu dropped
Files : Fiddler here (password is malware)
Thanks again Eset for CVE identification here.
|Nuclear Pack exploit CVE-2015-8651 on 2016-02-10|
Out of topic payload: cdb0447019fecad3a949dd248d7ae30f which is a loader for CloudScout (topflix .info - which we can find in RIG as well those days)
It seems Chrome won't save you if you do let it update.
|2016-02-17 on DE/US/FR traffic|
This is not something i can reproduce.
Is what i get with Chrome 46.0.2490.71 and its builtin 22.214.171.124 (which should fast update itself to last version)
Files : Fiddler here (password: malware)
CVE ID confirmed by Anton Ivanov (Kaspersky)
|Magnitude dropping Cryptowall via CVE-2015-8651|
Some days before 2016-04-06
Thanks FireEye for CVE identification.
|CVE-2015-8651 successfuly exploited by RIG on 2016-04-07|
( Out of topic payload: 30cb7ed7a67eb08fa2845990b7270d64d51e769d6e0dad4f9c2b8e7551bced0a Probably Godzilla downloader)
Files : RIG_2016-04-07 (swf, payload and Fiddler - password is malware)
(GoogleTranslate - via @eromang ) Offshore "Dark Hotel" organization of domestic business executives launched APT attacks - 2015-12-31 - ThreatBook
Post publication reading :
An Analysis on the Principle of CVE-2015-8651 - Antiy Labs - 2016-01-26