Malware Related > Malware Analysis
Sweet Orange exploit kit now contains CVE-2014-6332 exploit
(1/1)
SysAdMini:
Today I came across several instances of Sweet Orange exploit kit. I didn't know it is Sweet Orange when I found it, but kafeine confirmed it is Sweet Orange. Thanks!
Here is an example.
Obfuscated exploit kit code looks like this: http://pastebin.com/zhETf0J6
This is how it looks deobfuscated: http://wepawet.iseclab.org/view.php?hash=a4e22313eb87ff82ecab1ba6ff63cc41&t=1416575777&type=js
Decode the text block starting with
--- Code: ---if (true){
scriptvar = '
CkZ1bmN0aW9uIGIycyh4QmluYXJ5KQoKICAKIERpbSBCaW5hcnkKICBJZiB2YXJ0eXBlKHhCaW5hcnkpPTggVGhlbi
BCaW5hcnkgPSBNdWx0aUJ5dGVUb0JpbmFyeSh4QmluYXJ5KSBFbHNlIEJpbmFyeSA9IHhCaW5hcnkKICAKICBEaW0g
--- End code ---
using Base64. Result is a CVE-2014-6332 exploit in plain text.
See CVE-2014-6332 exploit code here: http://pastebin.com/KX0yT7xt
Detection of payload was low when I found it (Virustotal 2/55)
https://www.virustotal.com/en/file/2b06af53567eb740b26b2da22368b2a3ec9651e90fa9de1482c383b9793c4f7b/analysis/1416577537/
Here is an analysis from Malwr : https://malwr.com/analysis/OGMzZDA4NjM0ZjJmNDU0ZWE5ZWZlODU4YTkzNDZmYTc/
I strongly recommend to install security MS14-064 immediately. At least 2 exploit kits are using a CVE-2014-6332 exploit now.
In case you are still running Windows XP, you are in trouble, because there is no patch for XP.
Navigation
[0] Message Index
Go to full version