Spartan Exploit Kit (Sep 11th, 2015)
Dell Sonicwall Threat Research team has come across a new Exploit kit using Adobe Flash vulnerability (CVE-2015-5122) in its arsenal. This Exploit kit uses malvertising technique to deliver an exploit to the victim.
Originally discovered by Sravan Ganachari from Dell SonicWALL Threat Research team, the new exploit kit uses URL redirection technique to fetch its landing page, which in turn loads a Flash file. This Flash file downloads an XML file which contains another encrypted Flash file. This second flash contains another embedded Flash file (third Flash file) which finally exploits the Adobe Flash Software vulnerability. Because of the exploit delivery mechanism used, the kit and the exploits are highly immune to detection by security solutions.
Infection Chain:
The exploit Kit redirects the victim to a compromised webpage using malicious advertisement.
This compromised webpage(automotivevehicle.com) further redirects the victim to the Kit’s landing page using an injected javascript code.
The landing page uses Window.getComputedStyle() method to find out the victims web browser information which is passed back to the malicious server.
This Exploit kit’s landing page then requests for a new Javascript, which creates a flash object and appends it to the DOM element. Thus launching the flash file in the browser.
The loaded Flash file downloads an xml file which contains another encrypted Flash file.
Downloaded XML file is shown below
The second flash file contains another embedded flash file which finally exploits an “Use-after-free vulnerability in the DisplayObject class in Action Script” (CVE-2015-5122). This final flash exploit is never directly written on disk making it resistant to detection
Sonicwall Gateway AntiVirus provides protection against this threat via the following signatures:
- GAV: MalSWF (Trojan)