2017-01-06 - Exploit Integration

CVE-2016-7200 & CVE-2016-7201 (Edge) and Exploit Kits

CVE-2016-7200 & CVE-2016-7201 are vulnerabilities in the Chakra JavaScript scripting engine in Microsoft Edge. Reported by Natalie Silvanovich of Google Project Zero, those have been fixed  in november 2016 (MS16-129) by Microsoft.

Note : No successful exploitation seen despite integration tries.

On 2017-01-04 @theori_io released a POC

providing again (cf CVE-2016-0189) ready-to-use code to Exploit Kit maintainer.

After not far from 6 months without new exploit integrated in an EK ecosystem which has lost its innovation locomotive (Angler) , the drive-by landscape is struggling to stay in shape. Low infection rate means more difficulties to properly convert bought traffic.

The exploits are spotted first in Sundown, but integration in RIG/Empire/Neutrino/Magnitude/Kaixin should be a matter of hours/days.

[edit : 2017-01-10]
​I have been told that with Win10 1607, Microsoft Edge has some quite strong mitigation: no WinExec, no CreateProcess, no ShellExecute, meaning every child process creation is blocked. The PoC might need a little more "magic powder" to work there.


Sundown EK firing CVE-2016-7200/7201 to Edge 2017-01-06
No exploitation here though
Fiddler: Sundown_Edge__CVE-2016-7201_170106.zip (password is malware)

Out of topic: expected payload in that infection chain was zloader. (other payload seen in past weeks dropped via Sundown : Zeus Panda, Neutrino Bot, Dreambot, Chthonic, Andromeda, Smokebot, Betabot, Remcos, IAP, RTM, Kronos, Bitcoin Miner)

Thanks to Trendmicro for the multiple inputs that allowed me to keep plugged to this infection chain.
So as explained previously Neutrino is now in full private mode and fueled via Malvertising bought to several ad agencies (e.g. ZeroPark, ClickAdu, PropellerAds, HillTopAds) by a Traffer actor which I tag as NeutrAds. Their infection chain is now accepting/redirecting Microsoft Edge Browser as well.
Without big surprise a new exploit is included in the Flash bundle : nw27 >  CVE-2016-7200/7201.

NeutrAds redirect is now  accepting Edge traffic - 2017-01-14

Neutrino Embedding CVE-2016-7200/7201 - 2017-01-14
(Neutrino-v flash ran into Maciej ‘s Neutrino decoder )

Extracted CVE-2016-7200/7201  elements - 2017-01-14

Note: i did not get infection with
- Edge 25.10586.0.0 / EdgeHTML 13.10586
- Edge 20.10240.16384.0

Fiddler&Pcap : Neutrino-v_CVE-2016-72007201_170114.zip  (Password is malware)
Extracted exploits: Neutrino_2017-01-14.zip (Password is malware)

reveiled[.space| - NeutrAds Filtering Redirector
vfwdgpx.amentionq[.win| - Neutrino

Payload in that pass : Gootkit - b5567655caabb75af68f6ea33c7a22dbc1a6006ca427da6be0066c093f592610
Associated C2 :
buyyou[.org |

So those days, in Asia you'll most probably get Cerber and in EU/NA you'll most probably get Gootkit
MISP : taxonomy illustrating some NeutrAds into Neutrino-v recorded activity (and post infection)
2017-01-15 Finding by Simon Choi

CVE-2016-7200/7201 code fired by Kaixin - 2017-01-16
Fiddler : Kaixin_2017-01-16.zip (Password is malware)

Out of topic: payload in another pass (not fired by this exploit) was Blackmoon/Banbra 6c919213b5318cdb60d67a4b4ace709dfb7e544982c0e101c8526eff067c8332


2016-11-10 - Adding information about mitigation on Edge
2016-11-14 - Adding Neutrino
2016-11-16 - Fixed the screenshot for Neutrino. Was stating CVE-2016-4117 was there. It's not
2016-11-16 - Adding Kaixin

Read More:
Three roads lead to Rome - Qihoo360 - 2016-11-29
Proof-of-Concept exploit for Edge bugs (CVE-2016-7200 & CVE-2016-7201) - Theori-io - 2017-01-04