Neutrino after ScriptJS redirector dropping Locky Affid 13- 2016-07-13 |
Flash sample in that pass : 85b707cf63abc0f8cfe027153031e853fe452ed02034b792323eecd3bc0f7fd
(Out of topic payload : 300a51b8f6ad362b3e32a5d6afd2759a910f1b6608a5565ddee0cad4e249ce18 – Locky Affid 13 )
Thanks to Malc0de for invaluable help here 🙂
Some evidence of CVE-2016-0189 being integrated in Sundown were spotted on jul 15 by @criznash
On the 16th I recorded a pass where the CVE-2016-0189 had his own calls :
Sundown exploiting CVE-2016-0189 to drop Smokebot on the 2016-07-16 |
(Out of topic payload : 61f9a4270c9deed0be5e0ff3b988d35cdb7f9054bc619d0dc1a65f7de812a3a1 beaconing to : vicolavicolom.com | 185.93.185.224 )
Files : Sundown_CVE-2016-0189_160716 (password is malware)
RIG:
I saw it on 2016-09-12 but might have appeared before.
RIG successfully exploiting CVE-2016-0189 – 2016-09-12 |
CVE-2016-0189 from RIG after 3 step decoding pass |
Files : RIG_2016-0189_2016-09-12 (password is malware)
Magnitude:
Here pass from 2016-09-16 but is inside since at least 2016-09-04 (Source : Trendmicro – Thanks)
CVE-2016-0189 in Magnitude on 2016-09-16 |
Sorry i can’t share fiddler publicly in that case (Those specific one would give to attack side too much information about some of the technics that can be used – You know how to contact me)
Out of topic Payload: Cerber
a0d9ad48459933348fc301d8479580f8
5298ca5e9933bd20e051b81371942b2c
GrandSoft:
Spotted first on 2017-09-22 here is traffic from 2018-01-30 on : Win10 Build 10240 – IE11.0.10240.16431 – KB3078071
CVE-2016-0189 in GrandSoft on 2018-01-30 |
Out of topic Payload: GandCrab Ransomware
a15c48c74a47e81c1c8b26073be58c64f7ff58717694d60b0b5498274e5d9243
Fiddler here : GrandSoft_WorkingonIE11_Win10d.zip (pass is malware)
Edits :
2016-07-15 a previous version was stating CVE-2015-5122 for nw23. Fixed thanks to @dnpushme
2016-07-20 Adding Sundown.
2016-09-17 Adding RIG
2016-09-19 Adding Magnitude
2018-01-30 Adding GrandSoft (but appeared there on 2017-09-22)
Read More :
Post publication Reading :
Exploit Kits Quickly Adopt Exploit Thanks to Open Source Release – 2016-07-14 – FireEye
MDNC | Malware don’t need Coffee