Author Topic: Sweet Orange exploit kit now contains CVE-2014-6332 exploit  (Read 652 times)

0 Members and 1 Guest are viewing this topic.

November 21, 2014, 11:25:43 pm
Read 652 times

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3326
Today I came across several instances of Sweet Orange exploit kit. I didn't know it is Sweet Orange when I found it, but kafeine confirmed it is Sweet Orange. Thanks!

Here is an example.

Obfuscated exploit kit code looks like this: http://pastebin.com/zhETf0J6

This is how it looks deobfuscated: http://wepawet.iseclab.org/view.php?hash=a4e22313eb87ff82ecab1ba6ff63cc41&t=1416575777&type=js

Decode the text block starting with

Code: [Select]
if (true){
  scriptvar = '
CkZ1bmN0aW9uIGIycyh4QmluYXJ5KQoKICAKIERpbSBCaW5hcnkKICBJZiB2YXJ0eXBlKHhCaW5hcnkpPTggVGhlbi
BCaW5hcnkgPSBNdWx0aUJ5dGVUb0JpbmFyeSh4QmluYXJ5KSBFbHNlIEJpbmFyeSA9IHhCaW5hcnkKICAKICBEaW0g

using Base64. Result is a CVE-2014-6332 exploit in plain text.

See CVE-2014-6332 exploit code here: http://pastebin.com/KX0yT7xt


Detection of payload was low when I found it (Virustotal 2/55)

https://www.virustotal.com/en/file/2b06af53567eb740b26b2da22368b2a3ec9651e90fa9de1482c383b9793c4f7b/analysis/1416577537/

Here is an analysis from Malwr : https://malwr.com/analysis/OGMzZDA4NjM0ZjJmNDU0ZWE5ZWZlODU4YTkzNDZmYTc/

I strongly recommend to install security MS14-064  immediately. At least 2 exploit kits are using a CVE-2014-6332 exploit now.
In case you are still running Windows XP, you are in trouble, because there is no patch for XP.
Ruining the bad guy's day