Sweet Orange exploit kit now contains CVE-2014-6332 exploit

[SysAdMini]

Today I came across several instances of Sweet Orange exploit kit. I didn't know it is Sweet Orange when I found it, but kafeine confirmed it is Sweet Orange. Thanks!

Here is an example.

Obfuscated exploit kit code looks like this: http://pastebin.com/zhETf0J6

This is how it looks deobfuscated: http://wepawet.iseclab.org/view.php?hash=a4e22313eb87ff82ecab1ba6ff63cc41&t=1416575777&type=js

Decode the text block starting with

Code: [Select]

if (true){
  scriptvar = '
CkZ1bmN0aW9uIGIycyh4QmluYXJ5KQoKICAKIERpbSBCaW5hcnkKICBJZiB2YXJ0eXBlKHhCaW5hcnkpPTggVGhlbi
BCaW5hcnkgPSBNdWx0aUJ5dGVUb0JpbmFyeSh4QmluYXJ5KSBFbHNlIEJpbmFyeSA9IHhCaW5hcnkKICAKICBEaW0g
using Base64. Result is a CVE-2014-6332 exploit in plain text.

See CVE-2014-6332 exploit code here: http://pastebin.com/KX0yT7xt


Detection of payload was low when I found it (Virustotal 2/55)

https://www.virustotal.com/en/file/2b06af53567eb740b26b2da22368b2a3ec9651e90fa9de1482c383b9793c4f7b/analysis/1416577537/

Here is an analysis from Malwr : https://malwr.com/analysis/OGMzZDA4NjM0ZjJmNDU0ZWE5ZWZlODU4YTkzNDZmYTc/

I strongly recommend to install security MS14-064  immediately. At least 2 exploit kits are using a CVE-2014-6332 exploit now.
In case you are still running Windows XP, you are in trouble, because there is no patch for XP.