CVE-2018-15982 (Flash Player up to 31.0.0.153) and Exploit Kits

The CVE-2018-15982 is a bug that allows remote code execution in Flash Player up to 31.0.0.153, spotted in the wild as a 0day. Patched on December 05, 2018 with APSB18-42.

Underminer:

Underminer exploit kit improves in its latest iteration – 2018-12-21 – Malwarebytes

Fallout:

2019-01-16

Fallout_CVE-2018-15982

Figure 4: Fallout exploiting CVE-2018-15982 on Windows 7 – 2019-01-16

Files: Fiddler on VT – Pcap on VT

Associated Advert underground:

Итак! Тяжкие работы по восстановлению всей инфраструктуры связки закончены, были проведены тесты и в данный момент связка работает в полном объеме. Также были произведены множество правок и изменений.

Изменения:

  1. Увеличена производительность
  2. Полностью переработан механизм обфускации кода и генерации лэндинга.
  3. Убран CVE-2018-8373 на переработку. В данный момент сплоит ведет себя не стабильно.
  4. Добавлен новый флеш сплоит CVE-2018-15982.
  5. Для запуска повершелл в шеллкод добавлен код отключения AMSI
  6. Кучка мелких правок

ИЗМЕНЕНА ЦЕНОВАЯ ПОЛИТИКА Неделя 400$ Месяц 1300$

В данный момент при проверке отстука софта со связки было выявлено:

  1. Отстук EXE на уровне 80-90%
  2. Отстук PowerShell на уровне 95-100%

Translated by google as:

So! The hard work on the restoration of the entire infrastructure of the bundle was completed, tests were carried out and at the moment the bundle is working in full. There have also been many edits and changes.

Changes:

  1. Increased performance
  2. The code obfuscation and landing generation mechanism has been completely redesigned.
  3. Removed CVE-2018-8373 for recycling. At the moment, the flow rate is not stable.
  4. Added new flash sploit CVE-2018-15982.
  5. To launch Powershell, the disable code AMSI is added to the shellcode
  6. A bunch of minor edits

CHANGED PRICE POLICY Week 400 $ Month $ 1300

At the moment, when checking the otstuk software from the bundle, it was revealed:

  1. Otstuk EXE level 80-90%
  2. Otstuk PowerShell at the level of 95-100%
IOC Type Comment Date
payformyattention[.]site|51.15.35[.]154 domain|IP Fallout EK 2019-01-16
whereismyteam[.]press|51.15.111[.]159 domain|IP Fallout EK 2019-01-16
bd31d8f5f7d0f68222517afc54f85da9d305e63a2ff639c6c535e082de13dede SHA-256 GandCrab Ransomware 2019-01-16

Spelevo:

2019-03-06 Appears to be a new Exploit Kit which has some similarities with “SPL EK”. (CVE-2018-8174 has been spotted there as well)

Spelevo_CVE-2018-15982

Figure 4: Spelevo exploiting CVE-2018-15982 on Windows 7 – 2019-03-07

Acknowledgement:

Thanks to Chaoying Liu for CVE confirmation.

Files: Fiddler on VT – Pcap on VT (note: Some proxy were used)

IOC Type Comment Date
letsdoitquick[.]site|194.113.107.71 domain|IP Redirector (Keitaro TDS) 2019-03-07
index.microsoft-ticket[.]xyz|85.17.197[.]101 domain|IP Spelevo EK 2019-03-06
blasian.bestseedtodo[.]xyz|85.17.197[.]101 domain|IP Spelevo EK 2019-03-06
flashticket[.]xyz|85.17.197[.]101 domain|IP Spelevo EK 2019-03-06
read.updateversionswf[.]xyz|85.17.197[.]101 domain|IP Spelevo EK 2019-03-07
9aa8e341cc895350addaf268b21f7a716f6d7993575fdba67a3fe7a9e23b8f90 SHA-256 Gootkit “1999” 2019-03-07
2feba3cc47b7f1d47a9e1277c4f4ad5aa5126e59798ac096459d1eae8f573c35 SHA-256 Gootkit “3012” (2nd Stage) 2019-03-07
ws.blueberryconstruction[.]it|185.158.250[.]163 domain|IP Gootkit C2 2019-03-07
ws.diminishedvaluevirginia[.]com|185.158.251[.]115 domain|IP Gootkit C2 2019-03-07
gttopr[.]space|198.251.83[.]27 domain|IP Gootkit C2 2019-03-07

GreenFlash Sundown:

19.03.26 #Malvertising -> #GreenFlashSundown EK-> #SeonRansomware ver 0.2 & #pony & #miner using CVE-2018-15982 – 2019-04-05 – @vigilantbeluga

Shadowgate Returns to Worldwide Operations With Evolved Greenflash Sundown Exploit Kit – 2019-06-27 – Trendmicro

Read More:

Adobe Flash Zero-Day Exploited In the Wild – 2018-12-05 – Gigamon

Underminer exploit kit improves in its latest iteration – 2018-12-21 – Malwarebytes

MDNC | Malware don’t need Coffee


Are you looking for products for hacking, cybersecurity, and penetration testing? Do you need to cleanse your smartphone, PC, or website from viruses and malware? Do you need to track down a person or recover urgent information? Do you need to regain control of an account, email, or password that has been stolen from you? Interested in purchasing pre-configured devices to easily and quickly experiment with hacking techniques? Do you have specific requirements in software or hardware? We can assist you!

Contact us immediately for immediate assistance: provide us with details via email or WhatsApp about the type of support you need, and we will respond you promptly!

Fill out and submit the form below to send us an immediate support request

Write your email address here

Write here how we can help you - we provide immediate support for all your needs!

chevron_left
chevron_right