A new updated version of Terror Exploit Kit observed by SonicWall
Terror exploit kit is a new exploit kit, observed in the wild from be
Below Figure shows the URL pattern of the landing page, exploits and payload of the observed Terror exploit kit version.
Figure 1: Terror EK URL patterns
Few strings found in the landing page are Il1Iu, Il1Ix, Il1Ica, Il1Ida, function exp(_url, _key), function ush(u, k), function hex(num, width), leakMem, function fire(), Function tRIGgerBug, which should help future classification of this variant.
Below is the image showing the two embedded flash exploits.
Figure 8: Malicious SWF Objects
This variant tries to infect the victims by exploiting vulnerabilities available in Adobe Flash player as shown in above Figure 8. We can observe that this kit launches two flash movies which are malicious exploits and the shellcode is passed to these exploits as an argument using FlashVars parameter, which is executed after successful exploitation. On execution of shellcode, the payload malware will be downloaded and installed onto the victims system.
During our analysis we observed the payload has capabilities to disable installed security products, steal credentials, open ports (listens for commands from remote server) and also acts as a Downloader.
Solution provided by SonicWall:
Having up to date Software will help in mitigating this exploit kit. SonicWall Threat Research team will keep on monitoring this exploit kit and its evolution to update signatures as required.
SonicWall Gateway AntiVirus provides protect
ion against this threat via the following signatures:
Exploit: CVE-2015-5122.A_2, MalSWF
Landing Page: Terror_EK.LP