News Centre

Adobe Flash Zero-Day Exploit Found Hidden Inside MS Office Docs

Article by Diogo Correa
December 7, 2018

Vulnerabilities have been found within Adobe once again. Cybersecurity researchers have discovered a new zero-day vulnerability in Adobe Flash Player that hackers are actively exploiting in the wild as part of a targeted campaign that appears to be targeting a Russian state health care institution before it moves to the rest of the world.

The vulnerability that’s being tracked as CVE-2018-15982, is a use-after-free flaw residing in the Flash PLayer that, if exploited successfully, can allow an attacker to execute arbitrary code on the targeted computer and eventually gain full control over the system.

This vulnerability was spotted last week by researchers inside malicious Microsoft Office documents, which were submitted to online multi-engine malware scanning service VirusTotal that uses a Ukrainian IP address.

 

 

How does this exploit work?

The carefully crafted malicious Microsoft Office documents contained an embedded Flash Active X control in the header of the document that renders when the targeted user opens it, causing exploitation of the reported Flash Player vulnerability. However, according to the researchers, neither the Flash Exploit or the MS file (22.docx) itself contain the final payload to take control over your system.

The final payload is actually hidden inside an image file (scan42.jpg), which is itself an archive file, that has been packed along with the Microsoft Office file inside a parent WinRAR archive which is then distributed through spear-phishing emails, as shown in the video below:

Upon opening the document, the Flash exploit executes a command on the system to unarchive the image file and run the final payload (i.e., backup.exe) which has been protected with VMProtect and programmed to install a backdoor that is capable of:

  • Monitoring user activities (Keyboard or moves the mouse)
  • Collecting system information and sending it to a remote command-and-control (C&C) server,
  • Executing shellcode,
  • loading PE in memory,
  • downloading files,
  • execute code, and
  • performing self-destruction.

Gigamon researchers Applied Threat Research whilst Chinese cyber-security firm Qihoo 360 Core Security, who spotted and named the malware campaign as “Operation Poison Needles,” have not attributed the attack to any state-sponsored hacking group.

 

 

Am I affected?

The vulnerability impacts Adobe Flash Player versions 31.0.0.153 and earlier for products including Flash Player Desktop Runtime, Flash Player for Google Chrome, Microsoft Edge and Internet Explorer 11. Adobe Flash Player Installer versions 31.0.0108 and earlier is also affected.

Researchers reported the Flash zero-day exploit to Adobe on November 29, after which the company acknowledged the issue and released an updated Adobe Flash Player version 32.0.0.101 for Windows, macOS, Linux, and Chrome OS; and Adobe Flash Player Installer version 31.0.0.122.

This is not the first time this year Adobe has had issues, we reported 11 vulnerabilities (4 critical) that were being patched by the company just in October. If you require assistance with any patching, especially this one, please contact us right away.

If you like to keep up to date with all new alerts, subscribe below.

 

 

Other Articles You May Enjoy: 

 

SHARE THIS POST:

TECHNOLOGY Expert

Diogo Correa

Head of Sales

Diogo has a Bcom in International Business and has forged Technology deals for multiple Enterprise-Grade businesses along with government organisations, across Australia. He is passionate about technology and leading our clients into digital alignment through our innovative Technology Success Program that he has helped build from the ground up.

emotet trojan

New ‘Undetectable’ Email Virus Hits Australia

Compliance - Tech-Success

5 Ways To Stay Compliant With CLI Requirements

cyber liability deny claim

Top 5 Reasons Cyber Liability Companies Will Deny Your Claim

Tech Patrol - Computer Security

How to Assess the Value of Advanced Endpoint Security Solutions

Scroll to Top