Fixed with the January 2016 Microsoft patches, CVE-2016-0034 ( MS16-006 ) is a Silverlight Memory Corruption vulnerability and it has been spotted by Kaspersky with rules to hunt Vitaliy Toropov’s unknown Silverlight exploit mentioned in HackingTeam leak.
Angler EK :
On the 2016-02-18 the landing of Angler changed slightly to integrate this piece of code :
|Silverlight integration Snipet from Angler Landing after decoding|
resulting in a new call if silverlight is installed on the computer:
|Angler EK replying without body to silverlight call|
Here a Pass in great britain dropping Vawtrak via Bedep buildid 7786
2016-02-22 Here we go : call are not empty anymore.
|Angler EK dropping Teslacrypt via silverlight 5.1.41105.0 after the "EITest" redirect |
Edit1 : I received confirmation that it's indeed CVE-2016-0034 from multiple analyst including Anton Ivanov (Kaspersky). Thanks !
Xap file : 01ce22f87227f869b7978dc5fe625e16
Dll : 22a9f342eb367ea9b00508adb738d858
Out of topic payload : 6a01421a9bd82f02051ce6a4ea4e2edc (Teslacrypt)
Fiddler sent here
Malc0de spotted modification in the Rig landing indicating integration of Silverlight Exploit.
Here is a pass where the Silverlight is being fired and successfully exploited. CVE identification by : Anton Ivanov (Kaspersky)
|RIG - CVE-2016-0034 - 2016-03-29|
Xap file in that pass : acb74c05a1b0f97cc1a45661ea72a67a080b77f8eb9849ca440037a077461f6b
containing this dll : e535cf04335e92587f640432d4ec3838b4605cd7e3864cfba2db94baae060415
( Out of topic payload : Qbot 3242561cc9bb3e131e0738078e2e44886df307035f3be0bd3defbbc631e34c80 )
Files : Fiddler and sample (password is malware)
The Mysterious Case of CVE-2016-0034: the hunt for a Microsoft Silverlight 0-day - 2016-01-13 - Costin Raiu & Anton Ivanov - Kaspersky
Post Publication Reading:
(PDF) Analysis of Angler's new silverlight Exploit - 2016-03-10 - Bitdefender Labs