Adobe Flash 0-day Indicators of Compromise (IOCs)

(Last Updated On: 28th February 2018)

Reading time ~3min


Another day, another Adobe Flash vulnerability – this content platform that just never wants to get decommissioned.

Earlier this week another Adobe Flash 0-day vulnerability was disclosed which is actively being exploited in the wild by attackers. Adobe published a security advisory (APSA18-01) concerning a Flash vulnerability (CVE-2018-4878). Adobe describes the CVE-2018-4878 flaw and confirms that all Flash Players up to v28.0.0.137 are affected. The issue affects Adobe Flash Player Desktop Runtime on Linux, Mac, and Windows, as well as Flash Player for Google Chrome and Microsoft Edge.

This vulnerability allows the attacker to perform Remote Code Execution (RCE) through a malformed Flash object. KISA (Korean CERT) also confirmed the vulnerability and published an advisory about the Adobe Flash 0-day. In addition, Talos identified that attackers are already exploiting this vulnerability with a Flash object embedded in a Microsoft Excel document. By opening the Office document, the exploit (SWF object) is being executed and attempts to download the payload from a compromised website. The SWF object installs ROKRAT, a remote administration tool that Talos has been tracking since January 2017.

Below is an illustration of how this attack work to deliver the payload:

“Until now, the group behind ROKRAT—which Talos calls Group 123 (aka APT37, ScarCruft)—has relied on social engineering or exploits of older, previously known vulnerabilities that targets hadn’t yet patched. This is the first time the group has used a 0-day exploit. Group 123 has focused almost entirely on infecting targets located in South Korea. According to this post, publish by Talos last month, Group 123 members speak perfect Korean and are thoroughly familiar with the Korean Peninsula region. Talos has stopped short of saying the group has ties to North Korea, but a South Korean security researcher tweeted Thursday that the Flash exploit was made by North Korea.”

The increasingly sophisticated hacking group that is exploiting this 0-day vulnerability in Adobe’s Flash Player and allows the attacker to take full control of the infected machines, we believe that is highly associated with Lazarus Group.

Below are the Indicators of Compromise (IOCs) exploiting this flash vulnerability and delivering the payload:

SHA-256 Hashes

3b1395f620e428c5f68c6497a2338da0c4f749feb64e8f12e4c5b1288cc57a1c e1546323dc746ed2f7a5c973dcecc79b014b68bdd8a6230239283b4f775f4bbd
fec71b8479f3a416fa58580ae76a8c731c2294c24663c601a1267e0e5c2678a0
1a3269253784f76e3480e4b3de312dfee878f99045ccfd2231acb5ba57d8ed0d
2ca7c2048f247b871e455a9ac8bcb97927dd284477e7c2c4d2454509f97413b5
3004196da6055c6f062c94a9aae8dc357fa19b953b071049083e69e840083cf9
4f4eca598f5ef967785d96bc0a287cc26ab9c6402a957efe76426e7467d28faa
88d7aa1612756e2e70e4972d3f6a80517515f5274b38d4601357f954e207f294
927afb60891ffd38d3bef4bd3e7cb943d161db8404f8965dda14edf0f65e4e16
7d163e36f47ec56c9fe08d758a0770f1778fa30af68f39aac80441a3f037761e
5441f45df22af63498c63a49aae82065086964f9067cfa75987951831017bd4f
171e26822421f7ed2e34cc092eaeba8a504b5d576c7fd54aa6975c2e2db0f824
a29b07a6fe5d7ce3147dd7ef1d7d18df16e347f37282c43139d53cce25ae7037
eb6d25e08b2b32a736b57f8df22db6d03dc82f16da554f4e8bb67120eacb1d14
9b383ebc1c592d5556fec9d513223d4f99a5061591671db560faf742dd68493f

ROKRAT: b3de3f9309b2f320738772353eb724a0782a1fc2c912483c036c303389307e2e
Freenki: 99c1b4887d96cb94f32b280c1039b3a7e39ad996859ffa6dd011cf3cca4f1ba5

ROKRAT PE32:
cd166565ce09ef410c5bba40bad0b49441af6cfb48772e7e4a9de3d646b4851c
051463a14767c6477b6dacd639f30a8a5b9e126ff31532b58fc29c8364604d00

Path: c:\ProgramData\HncModuleUpdate.exe

MD5 Hashes
111d205422fe90848c2f41cc84ebd96a
3142fc8c1142f25698dabe8921996753
3f98c434d7b39de61a8b459180dd46a3
a47176bbc8aa136eb2814f3113617af7
f75a5e7ecc26c089c8d20406ea192c49
1f93c09eed6bb17ec46e63f00bd40ebb
4c1533cbfb693da14e54e5a92ce6faba
5f97c5ea28c0401abc093069a50aa1f8
9593d277b42947ef28217325bcc1fe50
394e52e219feb1a5c403714154048728
d2881e56e66aeaebef7efaa60a58ef9b

URL’s
hxxp://www[.]1588-2040[.]co[.]kr/conf/product_old.jpg
hxxp://www[.]1588-2040[.]co[.]kr/design/m/images/image/image.php
hxxp://www[.]dylboiler[.]co[.]kr/admincenter/files/board/4/manager.php
hxxp://www[.]korea-tax[.]info/main/local.php
hxxp://www[.]dylboiler[.]co[.]kr/admincenter/files/boad/4/manager.php
hxxp://discgolfglow[.]com/wp-content/plugins/maintenance/images/worker.jpghttp://acddesigns[.]com[.]au/clients/ACPRCM/kingstone.jpg

HOSTNAME
www[.]korea-tax[.]info

YARA
51e40218c65dcf2eb04ec90a56ee388dcda81765