Cybersecurity researchers have discovered a new zero-day vulnerability in Adobe Flash Player that hackers are actively exploiting in the wild as part of a targeted campaign appears to be attacking a Russian state health care institution.
The vulnerability, tracked as CVE-2018-15982, is a use-after-free flaw resides in Flash Player that, if exploited successfully, allows an attacker to execute arbitrary code on the targeted computer and eventually gain full control over the system.
The newly discovered Flash Player zero-day exploit was spotted last week by researchers inside malicious Microsoft Office documents, which were submitted to online multi-engine malware scanning service VirusTotal from a Ukrainian IP address.
The maliciously crafted Microsoft Office documents contain an embedded Flash Active X control in its header that renders when the targeted user opens it, causing exploitation of the reported Flash player vulnerability.
According to cybersecurity researchers, neither the Microsoft Office file (22.docx) nor the Flash exploit (inside it) itself contain the final payload to take control over the system.
Instead, the final payload is hiding inside an image file (scan042.jpg), which is itself an archive file, that has been packed along with the Microsoft Office file inside a parent WinRAR archive which is then distributed through spear-phishing emails, as shown in the video below:
Upon opening the document, the Flash exploit executes a command on the system to unarchive the image file and run the final payload (i.e., backup.exe) which has been protected with VMProtect and programmed to install a backdoor that is capable of:
- monitoring user activities (keyboard or moves the mouse)
- collecting system information and sending it to a remote command-and-control (C&C) server,
- executing shellcode,
- loading PE in memory,
- downloading files
- execute code, and
- performing self-destruction.
Researchers from Gigamon Applied Threat Research and Chinese cyber-security firm Qihoo 360 Core Security, who spotted and named the malware campaign as “Operation Poison Needles,” have not attributed the attack to any state-sponsored hacking group.
However, since the maliciously crafted documents in question purport to be an employment application for a Russian state healthcare clinic that is affiliated to the Presidential Administration of Russia and was uploaded on VirusTotal from a Ukrainian IP, researchers believe the attackers could be from Ukraine, considering the political tension between the two countries.
The vulnerability impacts Adobe Flash Player versions 220.127.116.11 and earlier for products including Flash Player Desktop Runtime, Flash Player for Google Chrome, Microsoft Edge and Internet Explorer 11. Adobe Flash Player Installer versions 18.104.22.168 and earlier is also affected.
Researchers reported the Flash zero-day exploit to Adobe on November 29, after which the company acknowledged the issue and released updated Adobe Flash Player version 22.214.171.124 for Windows, macOS, Linux, and Chrome OS; and Adobe Flash Player Installer version 126.96.36.199.
The security updates include a patch for the reported zero-day flaw, along with a fix for an “important” DLL hijacking vulnerability (CVE-2018-15983), which could allow attackers to gain privilege escalation via Flash Player and load a malicious DLL.