2016-01-25 - Exploit Integration

CVE-2015-8651 (Flash up to 20.0.0.228/235) and Exploit Kits

While other exploit kit are struggling to keep up with Angler (none is firing CVE-2015-8446 , maybe because of the Diffie-Hellman protection on Angler's exploits ),

- Nuclear / Magnitude and Neutrino last exploits are from October (CVE-2015-7645)

- RIG and Sundown are relying on July exploits (Hacking Team's one - CVE-2015-5122)
( all have the IE CVE-2015-2419 from august)

Angler has just integrated CVE-2015-8651 patched with Flash 20.0.0.270 on 2015-12-28

Angler EK : 2016-01-25
The exploit might be here since the 22 based on some headers modification which appeared that day.
It's not yet pushed in all Angler EK threads but widely spread.
Thanks Anton Ivanov (Kaspersky) for CVE Identification !

CVE-2015-8651 (and CVE-2015-2419) being successfully exploited by Angler EK to load bedep in memory
2016-01-25

Fiddler sent to VT.

---
Another pass via the "noisy" Cryptowall "crypt13x" actor which threads also has it :

CVE-2015-8651 being successfully exploited by Angler EK to load Cryptowall (crypt13001)
from the widely spread and covered "crypt13x" actor thread - 2016-01-25

(Out of Topic payload : 5866906a303b387b9918a8d7f8b08a51 Cryptowall crypt13001 )

I have been told by Eset that the exploit is successful on Flash 20.0.0.235 and Firefox.
---
I spotted a thread serving a landing and an exploit to Firefox.
2016-03-23 Firefox pass with Sandbox escape :

Angler EK exploiting CVE-2015-8651 on Firefox 33.1.1 and Flash 20.0.0.305
Bedep successfully wrote its payload on the drive.
2016-03-23

Files : Fiddler in a zip (password malware)

Neutrino :
Thanks Eset for identifying the added CVE here.

Neutrino Exploiting CVE-2015-8651 on 2016-02-09

Here Bunitu dropped

Note: For some reason couldn't have it working with Flash 20.0.0.228.

Files : Fiddler here (password is malware)

Nuclear Pack:

Thanks again Eset for CVE identification here.

Nuclear Pack exploit CVE-2015-8651 on 2016-02-10

Out of topic payload: cdb0447019fecad3a949dd248d7ae30f which is a loader for CloudScout (topflix .info - which we can find in RIG as well those days)

It seems Chrome won't save you if you do let it update.

2016-02-17 on DE/US/FR traffic

This is not something i can reproduce.

Is what i get with Chrome 46.0.2490.71 and its builtin 19.0.0.207 (which should fast update itself to last version)

Files : Fiddler here (password: malware)

Magnitude:
2016-02-18
CVE ID confirmed by Anton Ivanov (Kaspersky)

Magnitude dropping Cryptowall via CVE-2015-8651
2016-02-18

Files : Fiddler here (Password is malware)

RIG :
Some days before 2016-04-06
Thanks FireEye for CVE identification.

CVE-2015-8651 successfuly exploited by RIG on 2016-04-07

Sample in that pass: 4888cc96a390e2970015c9c1d0206011a6fd8e452063863e5e054b3776deae02
( Out of topic payload: 30cb7ed7a67eb08fa2845990b7270d64d51e769d6e0dad4f9c2b8e7551bced0a Probably Godzilla downloader)
Files : RIG_2016-04-07 (swf, payload and Fiddler - password is malware)

Read More:
(GoogleTranslate - via @eromang ) Offshore "Dark Hotel" organization of domestic business executives launched APT attacks - 2015-12-31 - ThreatBook

Post publication reading :
An Analysis on the Principle of CVE-2015-8651 - Antiy Labs - 2016-01-26