Spartan Exploit Kit

September 11, 2015

Dell Sonicwall Threat Research team has come across a new Exploit kit using Adobe Flash vulnerability (CVE-2015-5122) in its arsenal. This Exploit kit uses malvertising technique to deliver an exploit to the victim.

Originally discovered by Sravan Ganachari from Dell SonicWALL Threat Research team, the new exploit kit uses URL redirection technique to fetch its landing page, which in turn loads a Flash file. This Flash file downloads an XML file which contains another encrypted Flash file. This second flash contains another embedded Flash file (third Flash file) which finally exploits the Adobe Flash Software vulnerability. Because of the exploit delivery mechanism used, the kit and the exploits are highly immune to detection by security solutions.

Infection Chain:

The exploit Kit redirects the victim to a compromised webpage using malicious advertisement.

Fig-1 : Flow chart of Infection Chain

This compromised webpage( further redirects the victim to the Kit's landing page using an injected javascript code.

Fig-2 : Infected Webpage

The landing page uses Window.getComputedStyle() method to find out the victims web browser information which is passed back to the malicious server.

Fig-3 : Searching for victims web browser

Fig-4 : Landing page of Exploit Kit

This Exploit kit's landing page then requests for a new Javascript, which creates a flash object and appends it to the DOM element. Thus launching the flash file in the browser.

Fig-5 : Javascript code to load Flash file

The loaded Flash file downloads an xml file which contains another encrypted Flash file.

Fig-6 : Flash with an encrypted URL

Downloaded XML file is shown below

Fig-7 : XML with encrypted flash file

The second flash file contains another embedded flash file which finally exploits an "Use-after-free vulnerability in the DisplayObject class in Action Script" (CVE-2015-5122). This final flash exploit is never directly written on disk making it resistant to detection

Fig-8 : Decompiled Flash Exploit file

Sonicwall Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: MalSWF (Trojan)