Adobe Flash 0-day Indicators of Compromise (IOCs)

Reading time ~3min

Another day, another Adobe Flash vulnerability – this content platform that just never wants to get decommissioned.

Earlier this week another Adobe Flash 0-day vulnerability was disclosed which is actively being exploited in the wild by attackers. Adobe published a security advisory (APSA18-01) concerning a Flash vulnerability (CVE-2018-4878). Adobe describes the CVE-2018-4878 flaw and confirms that all Flash Players up to v28.0.0.137 are affected. The issue affects Adobe Flash Player Desktop Runtime on Linux, Mac, and Windows, as well as Flash Player for Google Chrome and Microsoft Edge.

This vulnerability allows the attacker to perform Remote Code Execution (RCE) through a malformed Flash object. KISA (Korean CERT) also confirmed the vulnerability and published an advisory about the Adobe Flash 0-day. In addition, Talos identified that attackers are already exploiting this vulnerability with a Flash object embedded in a Microsoft Excel document. By opening the Office document, the exploit (SWF object) is being executed and attempts to download the payload from a compromised website. The SWF object installs ROKRAT, a remote administration tool that Talos has been tracking since January 2017.

Continue reading “Adobe Flash 0-day Indicators of Compromise (IOCs)”

IOCs: Malware Authors Utilising Spectre/Meltdown Processor Vulnerabilities

Reading time ~2min

The recently disclosed processor vulnerabilities which affect most major processors, including ARM, Intel and AMD processors would not be left by malware authors unexploited. The Spectre and Meltdown CPU vulnerabilities (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754) that attempt to exploit  “chip flaws” on affected processors, may allow an attacker to access sensitive data by bypassing several memory isolation mechanisms used by vendors that aim to increase CPU performance. This “chip flaw” may allow an attacker to even access memory information that is allocated for kernel-related tasks. Essentially, every processor that is developed since 1995 by the above chip manufactures, is vulnerable. Until the chip manufactures release workable patches that do not degrade CPU performance and cause several issues, user’s remain vulnerable to attacks, and more specifically malware that is exploiting the above-mentioned disclosed vulnerabilities.

Below we have a list of hashes of several possible malware families utilising the those vulnerabilities. MalwareHunters Team is consistently analysing and tracking several malware samples, therefore stay tuned as we update this list. In the meantime, ensure you stay up-to-date with the latest security patches on your web browser, AV, and any other software up-to-date.

Continue reading “IOCs: Malware Authors Utilising Spectre/Meltdown Processor Vulnerabilities”

Comparing WannaCry, NotPetya and Bad Rabbit

Reading time ~15min

All you need to know: Comparing WannaCry vs NotPetya vs Bad Rabbit

On 14 April 2017, Easter holiday, the mysterious ShadowBrokers group that over the past 7-8 months has leaked several gigabytes worth of the NSA’s weapons on software exploits published its most critical cyber weapon release on GitHub.

The latest release of the 0-days exploits targeted several Windows OS, including Windows XP, Windows Server 2012, Windows 8 and Windows 2008 R2. Microsoft addressed those vulnerabilities a few days later and were no longer 0-day exploits. As reported on Friday 14 April by Emptywheel, a ShadowBrokers release from early January gave NSA officials notice of some of the exploit names obtained by the mysterious person or group that was included on the Friday’s release. The extra time Microsoft needed to patch the bugs might have something to do with February’s unprecedented canceling of Patch Tuesday, or simply because Microsoft has paid off the Shadow Brokers secretly for the vulnerabilities.

Continue reading “Comparing WannaCry, NotPetya and Bad Rabbit”

Abusing GDI Objects for ring0 Primitives Revolution

Reading time ~20min

Exploiting MS17-017 EoP Using Color Palettes

This post is an accompaniment to the Defcon 25 talk given by Saif. One of the core topics of the talk was the release of a new technique GDI object abuse technique, name Palette Objects. Saif presented a previously unreleased Windows 7 SP1 x86 exploit involving the abuse of a newly discovered GDI object abuse technique.

A complete white-paper on the topic was released and can be found here: Whitepaper

Both exploits discussed in the talk, were also released and the source code of these can be found here:

Continue reading “Abusing GDI Objects for ring0 Primitives Revolution”