Spotted in a "degraded" version on the 2016-04-02 in Magnitude, live also since 2016-03-31 in Nuclear Pack, Adobe was really fast at fixing this vulnerability with the patch released on the 2016-04-07 bringing Flash Player to version 22.214.171.124
It's not the first time a "0day" exploit is being used in a "degraded" state.
This happened before with Angler and CVE-2015-0310 and CVE-2014-8439
You'll find more details about the finding on that Proofpoint blog here :
"Killing a zero-day in the egg: Adobe CVE-2016-1019"
and on that FireEye blog here:
CVE-2016-1019: A new flash exploit included in Magnitude Exploit Kit
Note : we worked with Eset, Kaspersky and Microsoft as well on this case.
Nuclear Pack :
Identification by Eset, Kaspersky and FireEye (Thanks)
|Exploit sent to Flash Player 126.96.36.1996 by Nuclear Pack on the 2016-03-31|
Sample in that pass: 301f163644a525155d5e8fe643b07dceac19014620a362d6db4dded65d9cad90
Out of topic example of payload dropped that day by that instance of Nuclear : 42904b23cff35cc3b87045f21f82ba8b (locky)
Note the string "CVE-2016-1001" in the Nuclear Pack, explaining why maybe this exploit is being used in a degraded state.
|CVE-2016-1001 string spotted by Denis O'Brien (Malwageddon), the 2016-04-05 in Nuclear Pack exploit|
2016-04-02 "Degraded" to 188.8.131.526
Identified as is by FireEye
[2016-04-07: TrendMicro told me they found some hits for this exploit in Magnitude back from 2016-03-31 as well]
|Magnitude exploiting Flash 184.108.40.2066 with CVE-2016-1019 the 2016-04-02 in the morning.|
Payload is Cerber.
Side note : the check on the redirector in front of Magnitude ( http://pastebin.com/raw/gfEz25fa ) which might have been fixed with the CVE-2015-2413 was in Magnitude landing itself from September to end of November 2015.
|res:// onload check features unobfuscated at that time in Magnitude Landing 2015-09-29|
Sample in that pass: 0a664526d00493d711ee93662a693eb724ffece3cd68c85df75e1b6757febde5
Out of topic payload: 9d92fb315830ba69162bb7c39c45b219cb8399dd4e2ca00a1e21a5457f92fb3c Cerber Ransomware
Note: I got successful pass with Windows 8.1 and Flash 220.127.116.112 as well and Windows 10 build 1511 (feb 2016) via Flash 18.104.22.1686 on Internet Explorer 11. Edge seems not being served a landing.
2016-04-11 - "degraded" as well it seems. (at least didn't got it to work on Flash 21.x)
CVE id by @binjo and Anton Ivanov (Kaspersky)
|Neutrino successfully exploit Flash 22.214.171.1246 with CVE-2016-1019|
Out of topic payload: 83de3f72cc44215539a23d1408c140ae325b05f77f2528dbad375e975c18b82e
Killing a zero day in the egg : CVE-2016-1019 - 2016-04-07 - Proofpoint
CVE-2016-1019: A new flash exploit included in Magnitude Exploit Kit - 2016-04-07 - Genwei Jiang - FireEye
Zero-Day Attack Discovered in Magnitude Exploit Kit Targeting CVE-2016-1019 in Older Versions of Adobe Flash Player - 2016-04-07 - Peter Pi, Brooks Li and Joseph C. Chen - TrendMicro