Adobe has released an out-of-band security update for Flash Player that fixes two vulnerabilities, one of which is a zero-day (CVE-2018-15982) that has been spotted being exploited in the wild.
About the vulnerability (CVE-2018-15982)
CVE-2018-15982 is a use-after-free in the Flash’s file package com.adobe.tvsdk.mediacore.metadata that can be exploited to deliver and execute malicious code on a victim’s computer.
It was flagged on November 29 by researchers with Gigamon Applied Threat Research (ATR) and Qihoo 360 Core Security after the Microsoft Office document that carried the maliciously crafted Flash object was submitted to VirusTotal from a Ukranian IP address.
Further analysis revealed that the Flash exploit was self-encapsulated within the document and works on both 32–bit and 64-bit systems.
Once the vulnerability was triggered, another payload was downloaded and run: an encrypted backdoor disguised as an NVIDIA control panel application, digitally signed with a valid certificate (that has since been revoked).
The backdoor is capable of monitoring user activity (mouse moves, typing on keyboard), collecting machine information and sending it to a C&C, executing shellcode, loading PE in memory and downloading file execution code.
If it detects AV software on the device, it will self-destruct. If not, it will copy itself to another directory and add a scheduled task disguised to be a NVIDIA control panel to start, thus achieving persistence on the system.
Who’s behind the attacks?
The Microsoft Office document carrying the exploit is a Russian language document that masquerades as an employment application for a Russian state healthcare clinic.
Gigamon ATR researchers discovered another similar one that contained nearly identical content and the same exploit – it was submitted to VirusTotal by the same submitter ID and from the same country (Ukraine) as the initial one, just a short time after.
At this time it’s impossible to tell whether the attacker was checking whether the malicious file would be flagged by VirusTotal or whether the victim or victims were doing the checking.
Qihoo researchers posit that the file might have been wielded by either Russians or Ukrainians, as it popped up shortly after the most recent military incident between the two countries.
But both them and Gigamon ATR researchers pointed out the use of some known HackingTeam code for the exploit, and the latter also pointed out other similarities in how this and past HackingTeam attacks used zero-day exploits in Flash documents.
“Typically, these Flash files lacked obfuscation or staging. Additionally, exploits often contained compatibility of exploits and shellcode across 32-bit and 64-bit architectures,” they noted.
Still, given that HackingTeam code has been leaked online following the breach suffered by the company in 2015 and has since been reused by other cyber actors, it’s hard (if not impossible) to pinpoint who’s behind the attack.
What to do?
But for all those who still use Flash Player it really doesn’t matter who’s the attacker. What matters is that this exploit is in the wild and that there is a lot of information about how it works and how Adobe patched the flaw, meaning that other attackers might be able to recreate it.
Users are advised to update their desktop Flash Player app and Google Chrome or Microsoft Internet Explorer or Edge as soon as possible, as the browsers still incorporate and use Flash Player.
“Although the death of Flash has been widely reported thanks to industry efforts to deprecate and remove Flash from web browsers, vectors such as Microsoft Office remain able to load and execute Flash content,” Gagamon researchers noted.
“As such, exploits against zero-day vulnerabilities that allow for command execution using relatively stock enterprise software are valuable. Flash exploitation can be expected to continue as long as there are valid weaponization vectors that permit reliable execution.”