Spartan Exploit Kit
Dell Sonicwall Threat Research team has come across a new Exploit kit using Adobe Flash vulnerability (CVE-2015-5122) in its arsenal. This Exploit kit uses malvertising technique to deliver an exploit to the victim.
Originally discovered by Sravan Ganachari from Dell SonicWALL Threat Research team, the new exploit kit uses URL redirection technique to fetch its landing page, which in turn loads a Flash file. This Flash file downloads an XML file which contains another encrypted Flash file. This second flash contains another embedded Flash file (third Flash file) which finally exploits the Adobe Flash Software vulnerability. Because of the exploit delivery mechanism used, the kit and the exploits are highly immune to detection by security solutions.
The exploit Kit redirects the victim to a compromised webpage using malicious advertisement.
The landing page uses Window.getComputedStyle() method to find out the victims web browser information which is passed back to the malicious server.
The loaded Flash file downloads an xml file which contains another encrypted Flash file.
Downloaded XML file is shown below
The second flash file contains another embedded flash file which finally exploits an "Use-after-free vulnerability in the DisplayObject class in Action Script" (CVE-2015-5122). This final flash exploit is never directly written on disk making it resistant to detection
Sonicwall Gateway AntiVirus provides protection against this threat via the following signatures:
- GAV: MalSWF (Trojan)