Hacking Team’s Flash 0-day exploit used against Korean targets before it was leaked

The Adobe Flash zero-day (CVE-2015-5119) exploit found in the Hacking Team’s leaked data has already been added to several exploit kits, but Trend Micro researchers have found evidence of it being used before the data was leaked.

Flagged by the company’s Smart Protection Network, it was apparently used to compromise a number of South Korean targets and a Japanese one.

“In late June, we learned that a user in Korea was the attempted target of various exploits, including CVE-2014-0497, a Flash vulnerability discovered last year,” threat analyst Weimin Wu explains.

“Traffic logs indicate the user may have received spearphishing emails with attached documents. These documents contained a URL for the user to visit; this URL led to a site hosted in the United States which contained a Flash exploit, detected as SWF_EXPLOYT.YYKI. This particular exploit targets the zero-day Adobe vulnerability that was disclosed during the Hacking Team leak.”

The exploit was used to download a Trojan on the target’s computer, which then proceeds to download several other malicious payloads and create malicious processes.

“The exploit code we found is very similar to the code published as part of the Hacking Team leak. As a result of this, we believe that this attack was carried out by someone with access to the Hacking Team tools and code,” Wu noted, and added that “from a purely engineering perspective, this code was very well written.”

A patch for the CVE-2015-5119 vulnerability has been released by Adobe on Wednesday.