Author Topic: Sweet Orange exploit kit now contains CVE-2014-6332 exploit  (Read 19867 times)

0 Members and 1 Guest are viewing this topic.

November 21, 2014, 11:25:43 pm
Read 19867 times


  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Today I came across several instances of Sweet Orange exploit kit. I didn't know it is Sweet Orange when I found it, but kafeine confirmed it is Sweet Orange. Thanks!

Here is an example.

Obfuscated exploit kit code looks like this:

This is how it looks deobfuscated:

Decode the text block starting with

Code: [Select]
if (true){
  scriptvar = '

using Base64. Result is a CVE-2014-6332 exploit in plain text.

See CVE-2014-6332 exploit code here:

Detection of payload was low when I found it (Virustotal 2/55)

Here is an analysis from Malwr :

I strongly recommend to install security MS14-064  immediately. At least 2 exploit kits are using a CVE-2014-6332 exploit now.
In case you are still running Windows XP, you are in trouble, because there is no patch for XP.
Ruining the bad guy's day