HackerSecret.com – The Most Authoritative Site in the World on the Hacking Tools and Techniques, Penetration Testing and CyberSecurity

CVE-2016-0189 (Internet Explorer) and Exploit Kits

Spotted by Symantec in the wild  patched with MS16-051 in may 2016, CVE-2016-0189 is now being integrated in Exploit Kit.
Neutrino Exploit Kit :
Here 2016-07-13 but i am being told that i am late to the party.
It’s already [CN] documented here
Neutrino after ScriptJS redirector dropping Locky Affid 13- 2016-07-13

Flash sample in that pass : 85b707cf63abc0f8cfe027153031e853fe452ed02034b792323eecd3bc0f7fd
(Out of topic payload : 300a51b8f6ad362b3e32a5d6afd2759a910f1b6608a5565ddee0cad4e249ce18 – Locky Affid 13 )

 Thanks to Malc0de for invaluable help here 🙂

Files Here: Neutrino_CVE-2016-0189_160714 (Password is malware – VT Link)

Sundown :
Some evidence of CVE-2016-0189 being integrated in Sundown were spotted on jul 15 by @criznash
On the 16th I recorded a pass where the CVE-2016-0189 had his own calls :

Sundown exploiting CVE-2016-0189 to drop Smokebot on the 2016-07-16

(Out of topic payload :  61f9a4270c9deed0be5e0ff3b988d35cdb7f9054bc619d0dc1a65f7de812a3a1 beaconing to : vicolavicolom.com | 185.93.185.224 )
Files : Sundown_CVE-2016-0189_160716 (password is malware)

RIG:
I saw it on 2016-09-12 but might have appeared before.

RIG successfully exploiting CVE-2016-0189 – 2016-09-12
CVE-2016-0189 from RIG after 3 step decoding pass


Files : RIG_2016-0189_2016-09-12 (password is malware)

Magnitude:
Here pass from 2016-09-16 but is inside since at least 2016-09-04 (Source : Trendmicro – Thanks)

CVE-2016-0189 in Magnitude on 2016-09-16

Sorry i can’t share fiddler publicly in that case (Those specific one would give to attack side too much information about some of the technics that can be used – You know how to contact me)

Out of topic Payload:  Cerber
a0d9ad48459933348fc301d8479580f8
5298ca5e9933bd20e051b81371942b2c

GrandSoft:
Spotted first on 2017-09-22 here is traffic from 2018-01-30 on : Win10 Build 10240 – IE11.0.10240.16431 – KB3078071

CVE-2016-0189 in GrandSoft on 2018-01-30

Out of topic Payload:  GandCrab Ransomware
a15c48c74a47e81c1c8b26073be58c64f7ff58717694d60b0b5498274e5d9243

Fiddler here : GrandSoft_WorkingonIE11_Win10d.zip (pass is malware)


Edits :
2016-07-15 a previous version was stating CVE-2015-5122 for nw23. Fixed thanks to @dnpushme
2016-07-20 Adding Sundown.
2016-09-17 Adding RIG
2016-09-19 Adding Magnitude
2018-01-30 Adding GrandSoft (but appeared there on 2017-09-22)

Read More :

[CN] NeutrinoEK来袭:爱拍网遭敲诈者病毒挂马 2016-07-14 – Qihoo360
Patch Analysis of CVE-2016-0189 – 2016-06-22 – Theori
Internet Explorer zero-day exploit used in targeted attacks in South Korea – 2016-05-10 – Symantec
Neutrino EK: fingerprinting in a Flash – 2016-06-28 – Malwarebytes

Post publication Reading :
Exploit Kits Quickly Adopt Exploit Thanks to Open Source Release – 2016-07-14 – FireEye

MDNC | Malware don’t need Coffee

Are you looking for products for hacking, cybersecurity, and penetration testing? Do you need to cleanse your smartphone, PC, or website from viruses and malware? Do you need to track down a person or recover urgent information? Do you need to regain control of an account, email, or password that has been stolen from you? Interested in purchasing pre-configured devices to easily and quickly experiment with hacking techniques? Do you have specific requirements in software or hardware? We can assist you!

Contact us immediately for immediate assistance: provide us with details via email or WhatsApp about the type of support you need, and we will respond you promptly!

Fill out and submit the form below to send us an immediate support request

Write your email address here

Write here how we can help you – we provide immediate support for all your needs!

, , , ,
Send us a WhatsApp!