[b33f]

Hey All,

So after another painful round of flash patches on 13/05/2015:
http://www.cvedetails.com/vulnerability ... layer.html

It seems that today FireEye and @Kafeine identified Angler EK firing off CVE-2015-3090 targeting flash version 17.0.0.169. Of course by the time I got back from work I could not get any of the listed domains to exploit my sandbox :( If anyone has a sample of the CVE or even better a pcap, I would be really grateful if you could share it or upload it to malwr.

So far, I think the known SWF hashes are:
1436e63f983604aa7b2ace32e797231a
6cb6701ba9f78e2d2dc86d0f9eee798a

-b33f

[Xylitol]

Attached.
https://www.virustotal.com/en/file/1acc ... 432769751/ > 6/57

[b33f]

Hey Xylitol,

Thanks a lot for the sample, I'm going to have some fun trying to decompile it. If anyone has a pcap where the exploit gets sent i'm still eager to have a look at it! Feel free to anonymize any data you feel may be sensitive.

-b33f (@FuzzySec)

[robemtnez]

I got one today, it has a different hash. I'm attaching the pcap.

Also noticed a change in the URL pattern for Flash exploit delivery. The URL was "hxxp://influencerions-takaguti.mywhcoleman[.]com/BiuX3Wn4b4bpwCihqcrFooHdKXgrfY5zo-BpxWz1kjd51Imz.php?"

[b33f]

Hey robemtnez,

Sorry for the late reply, thanks for this, I had a jolly old time analyzing the obfuscated JS and ActionScript! It seems like CVE-2015-3090 has crept into other exploit kits (Nuclear, Magnitude, Neutrino, RIG). If anyone has more packet captures I'd be quite interested in comparing the delivery methods and the actual swf itself.

After a public exploit surfaces, I want to write a blog post about the CVE (if time allows hehe).

-b33f (@FuzzySec)

[b33f]

I wrote a post about the pcap provided by robemtnez. Mainly the focus is on JS deobfuscation of the Angler EK landing page!

I'd be glad to get any feedback!

Angler EK JavaScript Deobfuscation: The Emperor Has No Clothes - http://www.fuzzysecurity.com/tutorials/22.html

-b33f (@FuzzySec)