CVE-2015-5122 Archives

Posts

A new updated version of Terror Exploit Kit observed by SonicWall (March 13th, 2017)

March 13, 2017/in Threat intelligence /by Security News

A new updated version of Terror Exploit Kit observed by SonicWall

Summary:

Terror exploit kit is a new exploit kit, observed in the wild from be
ginning this year. SonicWall Threat Research team has observed a new version of Terror exploit kit, which now has stolen code from both RIG and Sundown exploit kits. The landing page of Terror exploit kit consists of a JavaScript which seems to be stolen from RIG, followed by another script stolen from Sundown exploit kit. These stolen JavaScripts are followed by embedded flash exploits. There is no obfuscation seen in this exploit kit. Both the landing page and the payload are not encrypted.

Technical Details:

Below Figure shows the URL pattern of the landing page, exploits and payload of the observed Terror exploit kit version.

Figure 1: Terror EK URL patterns

Landing Page:

The Terror EK landing page contains 2 JavaScripts and 2 flash exploits embedded in it. Below is the image of the first JavaScript. The below code looks like the de-obfuscated RIG exploit kit, the sub function name inside function exp looks exactly the same.

Figure 2: Landing page JavaScript functions

Few strings found in the landing page are Il1Iu, Il1Ix, Il1Ica, Il1Ida, function exp(_url, _key), function ush(u, k), function hex(num, width), leakMem, function fire(), Function tRIGgerBug, which should help future classification of this variant.

Below is the image of the second JavaScript present in Terror EK landing page.

Figure 3: VBScript embedded in JavaScript

This JavaScript injects malicious VBScript into the DOM dynamically by using JavaScripts document.write method as shown in Figure 3. Similar technic is used in Sundown exploit kit. Injected VBScript is identified to be exploiting vulnerability mentioned in CVE-2016-0189.

Below is the image showing the two embedded flash exploits.

Figure 8: Malicious SWF Objects

This variant tries to infect the victims by exploiting vulnerabilities available in Adobe Flash player as shown in above Figure 8. We can observe that this kit launches two flash movies which are malicious exploits and the shellcode is passed to these exploits as an argument using FlashVars parameter, which is executed after successful exploitation. On execution of shellcode, the payload malware will be downloaded and installed onto the victims system.

During our analysis we observed the payload has capabilities to disable installed security products, steal credentials, open ports (listens for commands from remote server) and also acts as a Downloader.

Solution provided by SonicWall:

Having up to date Software will help in mitigating this exploit kit. SonicWall Threat Research team will keep on monitoring this exploit kit and its evolution to update signatures as required.

SonicWall Gateway AntiVirus provides protect
ion against this threat via the following signatures:

Payload: Downloader.A_973

Exploit: CVE-2015-5122.A_2, MalSWF

Landing Page: Terror_EK.LP

Spartan Exploit Kit (Sep 11th, 2015)

September 11, 2015/in Threat intelligence /by Security News

Dell Sonicwall Threat Research team has come across a new Exploit kit using Adobe Flash vulnerability (CVE-2015-5122) in its arsenal. This Exploit kit uses malvertising technique to deliver an exploit to the victim.

Originally discovered by Sravan Ganachari from Dell SonicWALL Threat Research team, the new exploit kit uses URL redirection technique to fetch its landing page, which in turn loads a Flash file. This Flash file downloads an XML file which contains another encrypted Flash file. This second flash contains another embedded Flash file (third Flash file) which finally exploits the Adobe Flash Software vulnerability. Because of the exploit delivery mechanism used, the kit and the exploits are highly immune to detection by security solutions.

Infection Chain:

The exploit Kit redirects the victim to a compromised webpage using malicious advertisement.

Fig-1 : Flow chart of Infection Chain

This compromised webpage(automotivevehicle.com) further redirects the victim to the Kit’s landing page using an injected javascript code.

Fig-2 : Infected Webpage

The landing page uses Window.getComputedStyle() method to find out the victims web browser information which is passed back to the malicious server.

Fig-3 : Searching for victims web browser

Fig-4 : Landing page of Exploit Kit

This Exploit kit’s landing page then requests for a new Javascript, which creates a flash object and appends it to the DOM element. Thus launching the flash file in the browser.

Fig-5 : Javascript code to load Flash file

The loaded Flash file downloads an xml file which contains another encrypted Flash file.

Fig-6 : Flash with an encrypted URL

Downloaded XML file is shown below

Fig-7 : XML with encrypted flash file

The second flash file contains another embedded flash file which finally exploits an “Use-after-free vulnerability in the DisplayObject class in Action Script” (CVE-2015-5122). This final flash exploit is never directly written on disk making it resistant to detection

Fig-8 : Decompiled Flash Exploit file

Sonicwall Gateway AntiVirus provides protection against this threat via the following signatures:

GAV: MalSWF (Trojan)

Two more Flash 0-days as a result of HackingTeam data leak

July 15, 2015/in Threat intelligence /by Security News

As we discusses in our previous blog on recent Adobe 0-day(CVE-2015-5119), there are two more vulnerabilities that surfaced from the same HackingTeam data leak:

CVE-2015-5122: Adobe Flash ActionScript3 opaqueBackground Use After Free Vulnerability
CVE-2015-5123: Adobe Flash Player BitmapData Remote Code Execution Vulnerability

All three vulnerabilities are use-after-free vulnerabilities; although they occur in different classes. These vulnerabilities trigger the bug by overriding the ‘valueOf()’ function of these classes. During the override, the associated object is either freed or relocated. This makes the associated address invalid which inadvertantly triggers the vulnerability.

Here’s an example of CVE-2015-5123 where a ‘BitmapData’ object is created and disposed by overriding ‘valueOf()’ function:

Sonicwall team has written following signature that protect our customers from these exploits:

15380.CVE-2015-5119.B_3 Exploit
15392.CVE-2015-5119.A Exploit
15398.CVE-2015-5119.DH_2 Exploit
15399.CVE-2015-5119.A_2 Exploit
15400.CVE-2015-5119.B Exploit
15404.CVE-2015-5119.C Exploit
15410.CVE-2015-5119.C_2 Exploit
15413.CVE-2015-5119.A_4 Exploit
15415.CVE-2015-5119.A_5 Exploit
15416.CVE2015-5119.SW Exploit
15418.CVE-2015-5119.A_6 Exploit
15419.CVE-2015-5119.TTY Exploit
15420.CVE-2015-5119.A_7 Exploit
15423.CVE-2015-5119.A_10 Exploit
15424.CVE-2015-5119.A_11 Exploit
15426.CVE-2015-5119.A_12 Exploit
15550.CVE-2015-5122.SW Exploit
15553.CVE-2015-5122 Exploit
15670.CVE-2015-5123.A Exploit

Posts

About SonicWall

Products

Solutions

Customers

Support

Pin It on Pinterest