News Centre

Adobe Flash Zero-Day Exploit Found Hidden Inside MS Office Docs

Article by Diogo Correa
December 7, 2018

SHARE THIS POST:

Tech-Patrol

Vulnerabilities have been found within Adobe once again. Cybersecurity researchers have discovered a new zero-day vulnerability in Adobe Flash Player that hackers are actively exploiting in the wild as part of a targeted campaign that appears to be targeting a Russian state health care institution before it moves to the rest of the world.

The vulnerability that’s being tracked as CVE-2018-15982, is a use-after-free flaw residing in the Flash PLayer that, if exploited successfully, can allow an attacker to execute arbitrary code on the targeted computer and eventually gain full control over the system.

This vulnerability was spotted last week by researchers inside malicious Microsoft Office documents, which were submitted to online multi-engine malware scanning service VirusTotal that uses a Ukrainian IP address.

 

 

How does this exploit work?

The carefully crafted malicious Microsoft Office documents contained an embedded Flash Active X control in the header of the document that renders when the targeted user opens it, causing exploitation of the reported Flash Player vulnerability. However, according to the researchers, neither the Flash Exploit or the MS file (22.docx) itself contain the final payload to take control over your system.

The final payload is actually hidden inside an image file (scan42.jpg), which is itself an archive file, that has been packed along with the Microsoft Office file inside a parent WinRAR archive which is then distributed through spear-phishing emails, as shown in the video below:

Upon opening the document, the Flash exploit executes a command on the system to unarchive the image file and run the final payload (i.e., backup.exe) which has been protected with VMProtect and programmed to install a backdoor that is capable of:

  • Monitoring user activities (Keyboard or moves the mouse)
  • Collecting system information and sending it to a remote command-and-control (C&C) server,
  • Executing shellcode,
  • loading PE in memory,
  • downloading files,
  • execute code, and
  • performing self-destruction.

Gigamon researchers Applied Threat Research whilst Chinese cyber-security firm Qihoo 360 Core Security, who spotted and named the malware campaign as “Operation Poison Needles,” have not attributed the attack to any state-sponsored hacking group.

 

 

Am I affected?

The vulnerability impacts Adobe Flash Player versions 31.0.0.153 and earlier for products including Flash Player Desktop Runtime, Flash Player for Google Chrome, Microsoft Edge and Internet Explorer 11. Adobe Flash Player Installer versions 31.0.0108 and earlier is also affected.

Researchers reported the Flash zero-day exploit to Adobe on November 29, after which the company acknowledged the issue and released an updated Adobe Flash Player version 32.0.0.101 for Windows, macOS, Linux, and Chrome OS; and Adobe Flash Player Installer version 31.0.0.122.

This is not the first time this year Adobe has had issues, we reported 11 vulnerabilities (4 critical) that were being patched by the company just in October. If you require assistance with any patching, especially this one, please contact us right away.

If you like to keep up to date with all new alerts, subscribe below.

 

 

Other Articles You May Enjoy: 

 

Subscribe For The Latest In Technology

Other Posts You May Like

FOLLOW US

TECH NEWS & UPDATES

Please enter your name.
Please enter a valid email address.
Something went wrong. Please check your entries and try again.

RECENT POSTS

Tech Patrol PTY LTD

Microsoft Teams Becomes The Most Used Business Collaboration App in The World

TECH PATROL - Accounting

The 4 Accounting Pillars for Digital Transformation

tech Patrol - Managed IT Services

5 Reasons Accounting Firms Should Outsource IT

Devices

Australia’s Best EOFY Device Discounts of 2019: Best Vendors, Clearance Prices!

White Paper

Enjoy this free eBook

Tech Patrol - Microsoft Office 365

White Paper (Why businesses Are Migrating to Cloud)

  • This field is for validation purposes and should be left unchanged.
Scroll to Top