Cybersecurity
researchers have discovered a new zero-day vulnerability in Adobe Flash
Player that hackers are actively exploiting in the wild as part of a
targeted campaign appears to be attacking a Russian state health care
institution.
The vulnerability, tracked as
CVE-2018-15982, is a use-after-free
flaw resides in Flash Player that, if exploited successfully, allows an
attacker to execute arbitrary code on the targeted computer and
eventually gain full control over the system.
The newly discovered Flash Player zero-day exploit was spotted last week
by researchers inside malicious Microsoft Office documents, which were
submitted to online multi-engine malware scanning service VirusTotal
from a Ukrainian IP address.
The maliciously crafted Microsoft Office documents contain an embedded
Flash Active X control in its header that renders when the targeted user
opens it, causing exploitation of the reported Flash player
vulnerability.
According to cybersecurity researchers, neither the Microsoft Office
file (22.docx) nor the Flash exploit (inside it) itself contain the
final payload to take control over the system.
Instead, the final payload is hiding inside an image file (scan042.jpg),
which is itself an archive file, that has been packed along with the
Microsoft Office file inside a parent WinRAR archive which is then
distributed through spear-phishing emails, as shown in the video below:
Upon
opening the document, the Flash exploit executes a command on the
system to unarchive the image file and run the final payload (i.e.,
backup.exe) which has been protected with VMProtect and programmed to
install a backdoor that is capable of:
- monitoring user activities (keyboard or moves the mouse)
- collecting system information and sending it to a remote command-and-control (C&C) server,
- executing shellcode,
- loading PE in memory,
- downloading files
- execute code, and
- performing self-destruction.
Researchers from
Gigamon Applied Threat Research and Chinese cyber-security firm
Qihoo 360 Core Security,
who spotted and named the malware campaign as "Operation Poison
Needles," have not attributed the attack to any state-sponsored hacking
group.
However, since the maliciously crafted documents in question purport to
be an employment application for a Russian state healthcare clinic that
is affiliated to the Presidential Administration of Russia and was
uploaded on VirusTotal from a Ukrainian IP, researchers believe the
attackers could be from Ukraine, considering the political tension
between the two countries.
The vulnerability impacts Adobe Flash Player versions 31.0.0.153 and
earlier for products including Flash Player Desktop Runtime, Flash
Player for Google Chrome, Microsoft Edge and Internet Explorer 11. Adobe
Flash Player Installer versions 31.0.0.108 and earlier is also
affected.
Researchers reported the Flash zero-day exploit to Adobe on November 29,
after which the company acknowledged the issue and released
updated Adobe Flash Player version 32.0.0.101 for Windows, macOS, Linux, and Chrome OS; and Adobe Flash Player Installer version 31.0.0.122.
The security updates include a patch for the reported zero-day flaw,
along with a fix for an "important" DLL hijacking vulnerability
(CVE-2018-15983), which could allow attackers to gain privilege
escalation via Flash Player and load a malicious DLL.
#ref-menu