CVE-2016-7200 & CVE-2016-7201 are vulnerabilities in the Chakra JavaScript scripting engine in Microsoft Edge. Reported by Natalie Silvanovich of Google Project Zero, those have been fixed in november 2016 (MS16-129) by Microsoft.
Note : No successful exploitation seen despite integration tries.
On 2017-01-04 @theori_io released a POC
Proof-of-Concept exploit for Edge bugs (CVE-2016-7200 & CVE-2016-7201) —https://t.co/DnwQt5giMB— Theori (@theori_io) 4 janvier 2017
providing again (cf CVE-2016-0189) ready-to-use code to Exploit Kit maintainer.
After not far from 6 months without new exploit integrated in an EK ecosystem which has lost its innovation locomotive (Angler) , the drive-by landscape is struggling to stay in shape. Low infection rate means more difficulties to properly convert bought traffic.
The exploits are spotted first in Sundown, but integration in RIG/Empire/Neutrino/Magnitude/Kaixin should be a matter of hours/days.
[edit : 2017-01-10]
I have been told that with Win10 1607, Microsoft Edge has some quite strong mitigation: no WinExec, no CreateProcess, no ShellExecute, meaning every child process creation is blocked. The PoC might need a little more “magic powder” to work there.
[/edit]
2017-01-06
 |
| Sundown EK firing CVE-2016-7200/7201 to Edge 2017-01-06 No exploitation here though |
Fiddler: Sundown_Edge__CVE-2016-7201_170106.zip (password is malware)
Out of topic: expected payload in that infection chain was zloader. (other payload seen in past weeks dropped via Sundown : Zeus Panda, Neutrino Bot, Dreambot, Chthonic, Andromeda, Smokebot, Betabot, Remcos, IAP, RTM, Kronos, Bitcoin Miner)
Neutrino:
2017-01-14
—
Thanks to Trendmicro for the multiple inputs that allowed me to keep plugged to this infection chain.
—
So as explained previously Neutrino is now in full private mode and fueled via Malvertising bought to several ad agencies (e.g. ZeroPark, ClickAdu, PropellerAds, HillTopAds) by a Traffer actor which I tag as NeutrAds. Their infection chain is now accepting/redirecting Microsoft Edge Browser as well.
Without big surprise a new exploit is included in the Flash bundle : nw27 > CVE-2016-7200/7201.
 |
| NeutrAds redirect is now accepting Edge traffic – 2017-01-14 |
 |
|
Neutrino Embedding CVE-2016-7200/7201 – 2017-01-14
(Neutrino-v flash ran into Maciej ‘s Neutrino decoder )
|
 |
| Extracted CVE-2016-7200/7201 elements – 2017-01-14 |
Note: i did not get infection with
– Edge 25.10586.0.0 / EdgeHTML 13.10586
– Edge 20.10240.16384.0
Fiddler&Pcap : Neutrino-v_CVE-2016-72007201_170114.zip (Password is malware)
Extracted exploits: Neutrino_2017-01-14.zip (Password is malware)
reveiled[.space|45.32.113.97 – NeutrAds Filtering Redirector
vfwdgpx.amentionq[.win|149.56.115.166 – Neutrino
Payload in that pass : Gootkit – b5567655caabb75af68f6ea33c7a22dbc1a6006ca427da6be0066c093f592610
Associated C2 :
buyyou[.org | 204.44.118.228
felixesedit[.com
fastfuriedts[.org
monobrosexeld[.org
So those days, in Asia you’ll most probably get Cerber and in EU/NA you’ll most probably get Gootkit
 |
| MISP : taxonomy illustrating some NeutrAds into Neutrino-v recorded activity (and post infection) |
Kaixin:
2017-01-15 Finding by Simon Choi
 |
| CVE-2016-7200/7201 code fired by Kaixin – 2017-01-16 |
Fiddler : Kaixin_2017-01-16.zip (Password is malware)
Out of topic: payload in another pass (not fired by this exploit) was Blackmoon/Banbra 6c919213b5318cdb60d67a4b4ace709dfb7e544982c0e101c8526eff067c8332
Callback:
http://r.pengyou[.com/fcg-bin/cgi_get_portrait.fcg?uins=1145265195
http://67.198.186[.254/ca.php?m=525441744D5441744D6A63744E3055744D554D745130493D&h=437
Edits:
2016-11-10 – Adding information about mitigation on Edge
2016-11-14 – Adding Neutrino
2016-11-16 – Fixed the screenshot for Neutrino. Was stating CVE-2016-4117 was there. It’s not
2016-11-16 – Adding Kaixin
Read More:
Three roads lead to Rome – Qihoo360 – 2016-11-29
Proof-of-Concept exploit for Edge bugs (CVE-2016-7200 & CVE-2016-7201) – Theori-io – 2017-01-04
MDNC | Malware don’t need Coffee
