Malware Related > Malware Analysis

Sweet Orange exploit kit now contains CVE-2014-6332 exploit


Today I came across several instances of Sweet Orange exploit kit. I didn't know it is Sweet Orange when I found it, but kafeine confirmed it is Sweet Orange. Thanks!

Here is an example.

Obfuscated exploit kit code looks like this:

This is how it looks deobfuscated:

Decode the text block starting with

--- Code: ---if (true){
  scriptvar = '
--- End code ---

using Base64. Result is a CVE-2014-6332 exploit in plain text.

See CVE-2014-6332 exploit code here:

Detection of payload was low when I found it (Virustotal 2/55)

Here is an analysis from Malwr :

I strongly recommend to install security MS14-064  immediately. At least 2 exploit kits are using a CVE-2014-6332 exploit now.
In case you are still running Windows XP, you are in trouble, because there is no patch for XP.


[0] Message Index

Go to full version