2016-05-21 - Exploit Integration

CVE-2016-4117 (Flash up to and Exploit Kits

Discovered being exploited in the wild by FireEye [1] on May 8, 2016, patched 4 days later with Flash, CVE-2016-4117 is making its way to Exploit Kits.

Magnitude :
CVE confirmed by FireEye - Thanks !
On 2016-05-21 Magnitude is firing an exploit to Flash up to

Magnitude firing exploit to Flash - 2016-05-21
For now i did not get exploitation in the different pass i tried but in the Flash exploit we can see some quite explicit imports :

 import com.adobe.tvsdk.mediacore.timeline.operations.DeleteRangeTimelineOperation;

Magnitude Flash Exploit showing import of the DeleteRangeTimelineOperation

Spotted sample :  f5cea58952ff30e9bd2a935f5843d15952b4cf85cdd1ad5d01c8de2000c48b0a
Fiddler sent here.
Updates to come as it appears to be a work in progress.

Neutrino :
Spotted by Eset.

2016-05-23 Neutrino successfully exploit CVE-2016-4117 on Flash and drop here CryptXXX
Sample in that pass : 30984accbf40f0920675f6ba0b6daf2a3b6d32c751fd6d673bddead2413170e8
Fiddler sent here (Password is malware)
Out of topic payload: 110891e2b7b992e238d4afbaa31e165a6e9c25de2aed442574d3993734fb5220 CryptXXX

Angler EK:
CVE identification by Henri Nurmi from F-Secure. Thanks !
Angler EK successfully exploit Flash on 2016-05-23 dropping Dridex

Sample in that pass : 310528e97a26f3fee05baea69230f8b619481ac53c2325da90345ae7713dcee2
Fiddler sent here
Out of topic payload  : 99a6f5674b738591588416390f22dedd8dac9cf5aa14d0959208b0087b718902
Most likely Dridex 123 targeting Germany based on distribution path.

Sundown :  [3]

Sample in that pass : cf6be39135d8663be5241229e0f6651f9195a7434202067616ae00712a4e34e6 

Fiddler sent here  (password : malware)

Read More:
[1] CVE-2016-4117: Flash Zero-Day Exploited in the Wild - 2016-05-13 - Genwei Jiang - FireEye
[2] New Flash Vulnerability CVE-2016-4117 Shares Similarities With Older Pawn Storm Exploit - 2016-05-13 - Moony Li - TrendMicro
[3] Sundown EK – Stealing Its Way to the Top - 2016-09-02 - Spiderlabs