Adobe Systems just released a new important security update for Flash after discovering a zero day vulnerability. This vulnerability was discovered as a phishing campaign, in which malware was embedded as a Flash Active X object inside Microsoft Word documents representing employee applications for a Russian state healthcare clinic.
“These updates address one critical vulnerability in Adobe Flash Player and one important vulnerability in Adobe Flash Player installer. Successful exploitation could lead to arbitrary code-execution and privilege-escalation in the context of the current user respectively.
The vulnerability known as, CVE-2018-25982, is a user-after-free flaw which enables arbitrary code execution in Adobe Flash. Allowing controls of the user’s commands line access to the system. It was found embedded into Microsoft Office documents, after the documents were uploaded into VirusTotal by an Ukrainian IP address. The malicious documents were discovered by two companies: Gigamon and Qihoo 360 Core.
The malware supported both 32-bit and 64-bit systems. The exploit also affected Adobe Flash Player Desktop Runtime, Adobe Flash Player for Google Chrome, Adobe Flash Player for Microsoft Edge and Internet Explorer 11, all for versions 126.96.36.199 and earlier, and Adobe Flash Player Installer versions 188.8.131.52 and earlier.
The employee application had creator name of ‘tvkisdsy’ and was a fake application for Russian clinics. When victims first opened the applications a Flash Active X would execute by escalating its privilege from Microsoft Office. After, a malicious command would extract and execute the payload by dropping a JPG file. The file would unzip a RAR file and then the RAR file would drop the EXE file on the victim’s machine.
Researchers at both Gigamon and Qihoo 360 Core, found similarities between the exploit with a zero-day created HackingTeam, an Italian spyware vendor, who was hacked in 2015.
If your organization has discovered a zero-day attack, contact LIFARS immediately for assistance from our Incident Response Team.