2015-01-21 - 0day

Unpatched Vulnerability (0day) in Flash Player is being exploited by Angler EK

This is a fast post. I will update it heavily in the coming hours/days. Sorry for the resulting mess.

I spotted an instance of Angler EK which is sending three different bullets targeting Flash Player :

Their "standard" CVE-2014-8440 - cb89e2da32a672a2b2bfea5b41f45ad5
A fresh one (that is mentionned here and [edit 2015-01-22 : ] is a "downgraded" CVE-2015-0310 fixed by Flash 16.0.0.287) - 86ee0a34b6f9b57c732b1aa9f4c45575 which is striking Flash Player up to 15.0.0.242
and a third one ( md5 not shared publicly sorry). Note : This exploit is not being used in all Angler instances. [ 2015-01-23 : CVE-2015-0311 - 2015-01-24 : Flash 16.0.0.296 fix the issue.]

And it seems we have a problem with that third one :

Angler EK exploiting last version (16.0.0.257) of Flash Player 2015-01-21

Disabling Flash player for some days might be a good idea.

As I know I will get a lot of questions and mail, here are some of the tests I made :

Exploited :

TL:DR Any version of Internet Explorer or Firefox with any version of Windows will get owned if Flash up to 16.0.0.287 (included) is installed and enabled.

[Edit : 2015-01-22 - 15:30 GMT+2]
I did not talk about Firefox earlier cause there was a decision tree error and Firefox was not receiving the expected bullet. So i thought not talking about it was the best option.
Now that they fixed it, know that Firefox last version is owned as well
Test made with :
- Windows XP, Firefox 35, Flash 16.0.0.287
Mozilla/5.0 (Windows NT 5.1; rv:35.0) Gecko/20100101 Firefox/35.0

Till this morning Firefox users were safe.
Angler EK coders fixed the issue...and they are now under fire as well

[/Edit : 2015-01-22]

- Windows XP, IE6 to 8 obviously. Flash 16.0.0.257

- Windows XP, IE6 to 8 Flash 16.0.0.287 - 2015-01-22 (replayed in lab environnement) :

Replayed session of Angler EK with Flash 16.0.0.287 - 2015-01-22
This version is Fixing another vulnerability
CVE-2015-0310 wrongly reported in this blog as CVE-9162/9163

- Windows 7, IE8 , Flash 16.0.0.257 :
UA : Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

- Win 8 IE10 with Windows8-RT-KB3008925-x86 (Flash 16.0.0.235) -
UA : Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0)

- Win8 IE10 all updates (Flash 16.0.0.257)

- Win8.1 IE11 all updates (flash 16.0.0.257) - 2015-01-22
UA : Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko

Fully Update windows 8.1 with Internet Explorer 11 up to date.
Owned - 2015-01-22

Safe :

- Chrome : They are not firing that bullet
UA: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.99 Safari/537.36

More tests ongoing. I will update.

Payload :

In my opinion it's a little off topic..after flash exploitation they can do what they (multiple customer of the Exploit Kit) want and change it any time.

As I am getting a lot of question about it, i decided to add this part.

So the payload I got is Bedep which can have one or both of this functions : AdFraud, Malware loading.

This familly is the child of the group behind Angler EK and Reveton (and is fast replacing Reveton in many distribution path - We have seen this Ransomware -> AdFraud transition with Kovter as well, where some do Ransomware -> Banking (as did Qadars group) ) .

When it was first spotted (around september 2014) it was not persistent but there are now persistent version of it.

It's using the legit migsetup.exe to bypass UAC

Eight Days ago :

Registry entries from the Persistent Bedep
HKEY_CURRENT_USER\Software\Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\InprocServer32

Registry for the persistent Bedep
HKEY_CURRENT_USER\Software\Classes\Drive\ShellEx\FolderExtensions\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}

Today in an XP VM :

HKEY_CURRENT_USER\Software\Classes\CLSID\{E563E00A-58B3-4A37-8D94-F67EE73C36F9}\InprocServer32

HKEY_CURRENT_USER\Software\Classes\Drive\ShellEx\FolderExtensions\{E563E00A-58B3-4A37-8D94-F67EE73C36F9}

[Sample at the end]

Bedep is working in a Hidden Desktop

Default0 is an Hidden Desktop created by bedep.

Switching to that desktop (using for instance CmdDesktopSwitch) you might see things like :

Bedep faking some browsing with a French IP here. Open many windows, scroll etc....

I often monitor bedep traffic as it's a good source of referer for exploit kit.
Zombies are often brought to Magnitude, Sweet Orange, Archie etc.... You can even get a Cryptolocker or a CTB-Locker (critroni) via browsing made by bedep.

You are looking for Bedep traffic in your Network ?
Search for traffic with :
http://24x7searcher .com , http://global-game-search .me http://canopus-a7 .in, http://hot100games .in as referer (it's fake)

Search for call to :
Bedep C&C :
wzrdirqvrh07.com
jacafyfugdnvoov .com
46.105.251.1

AdFraud C&C :
http://canopus-a7 .in/task/9004/

185.48.56.103

You may find this kind of reply :

HTTP/1.1 200 OK

Server: nginx

Date: Thu, 22 Jan 2015 11:09:08 GMT

Content-Type: text/html

Connection: keep-alive

Vary: Accept-Encoding

Content-Length: 305

1|http://hot100games .in|http://canopus-a7 .in/redirect/b4d037973887c5c58701139a0088c424/|Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET CLR 1.1.4322; .NET4.0C; Tablet PC 2.0)|en-US|343

Emet :

As i am being harassed by requests to test it, I endup installing Emet 5.1 and test it in live condition with Windows 8.1 32bits, Internet Explorer 11, Flash 16.0.0.257
I don't know how to use it. I just did an install, use recommended Settings. Finish.

Emet 5.1 after installation. Default Settings
2015-01-22

Here is what I got :

Emet 5.1 spotting StackPivot and protecting the VM against the Flash Vuln
2015-01-22

Please take it as it is ! A single pass test in One configuration.

[Edit : 2015-01-24]

You do not need an advanced weapon to effectively fire a Golden Bullet

Why bothering with an EK when you have CVE-2015-0311?Being used in standalone mode to spread Reveton on Adult Traffic pic.twitter.com/0a8JLzhOD7
— Kafeine (@kafeine) January 24, 2015

Asked in Comment : Sample pushed in that pass was : f9385217a5c03ecf9136ceca7e7d03d2
[/edit]

[Edit : 2015-01-27]
The CVE-2015-0311 has been deployed to all Angler EK instances.
[Edit]

Files:
One Bedep Sample - Disclaimer : Sample are really fast rotating and there are x64 version as well.
Nothing else yet. But you know how to contact me.

Post Publication Reading ;
CVE-2015-0311 (Flash up to 16.0.0.287) integrating Exploit Kits - 2015-01-29
A Different Exploit Angle on Adobe's Recent Zero-Day - 2015-01-27 - Dan Caselden, Corbin Souffrant, James T. Bennett - FireEye
Top adult site xHamster involved in large malvertising campaign - 2015-01-27 - Malwarebytes Labs
Analyzing CVE-2015-0311: Flash Zero Day Vulnerability - 2015-01-26 Peter Pi - TrendMicro
Adobe Security Bulletin - 2015-01-22

Thanks :
Websense for inputs allowing me to make additional live tests
-----------------------
As I want to thanks them for their Trust, I will shamelessly tell you that I tested it against the free version of Malwarebytes Anti Exploit (a product from one of my customer). They stopped it. Well done !