Reading time ~3min
Another day, another Adobe Flash vulnerability – this content platform that just never wants to get decommissioned.
Earlier this week another Adobe Flash 0-day vulnerability was disclosed which is actively being exploited in the wild by attackers. Adobe published a security advisory (APSA18-01) concerning a Flash vulnerability (CVE-2018-4878). Adobe describes the CVE-2018-4878 flaw and confirms that all Flash Players up to v18.104.22.168 are affected. The issue affects Adobe Flash Player Desktop Runtime on Linux, Mac, and Windows, as well as Flash Player for Google Chrome and Microsoft Edge.
This vulnerability allows the attacker to perform Remote Code Execution (RCE) through a malformed Flash object. KISA (Korean CERT) also confirmed the vulnerability and published an advisory about the Adobe Flash 0-day. In addition, Talos identified that attackers are already exploiting this vulnerability with a Flash object embedded in a Microsoft Excel document. By opening the Office document, the exploit (SWF object) is being executed and attempts to download the payload from a compromised website. The SWF object installs ROKRAT, a remote administration tool that Talos has been tracking since January 2017.
Below is an illustration of how this attack work to deliver the payload:
“Until now, the group behind ROKRAT—which Talos calls Group 123 (aka APT37, ScarCruft)—has relied on social engineering or exploits of older, previously known vulnerabilities that targets hadn’t yet patched. This is the first time the group has used a 0-day exploit. Group 123 has focused almost entirely on infecting targets located in South Korea. According to this post, publish by Talos last month, Group 123 members speak perfect Korean and are thoroughly familiar with the Korean Peninsula region. Talos has stopped short of saying the group has ties to North Korea, but a South Korean security researcher tweeted Thursday that the Flash exploit was made by North Korea.”
The increasingly sophisticated hacking group that is exploiting this 0-day vulnerability in Adobe’s Flash Player and allows the attacker to take full control of the infected machines, we believe that is highly associated with Lazarus Group.
Below are the Indicators of Compromise (IOCs) exploiting this flash vulnerability and delivering the payload: