On Wednesday, December 5, 2018, Adobe released an update to rectify a weakness in Adobe Flash Player that is being leveraged by a threat group in targeted attacks in Russia. The threat group has previously attacked a healthcare service in Russia that is used by senior civil servants.
The weakness was recognized by researchers at Gigamon who passed on details of the weakness to Adobe in late November. Qihoo 360 scientists lately recognized an advanced constant threat campaign that was actively abusing the weakness.
The weakness is being abused using a particularly created Word document which is being dispersed using a spear phishing campaign. The campaign is extremely targeted; however, it is possible that other threat groups might try to abuse the same weakness in bigger, less-targeted campaigns.
The spear-phishing campaign used social engineering methods to deceive the receiver into opening a malicious Word document that impersonated as a worker survey. The document was transmitted as a .rar attachment to the electronic mail, with the compressed file having the document, the exploit, and the payload. The Word document had a malevolent Flash Active X control in the header.
Upon opening the document, the user is presented with a Microsoft Office alerting that the document might be damaging to the computer. If the content is enabled, the malevolent code will be performed, the weakness will be abused, and the attacker will gain command line access to the user’s system.
The payload, named backup.exe masquerades as an NVIDIA Control Panel application with a matching icon and (stolen) certificate. If the payload is performed, system information will be gathered which will be sent back to the attacker’s distant server through HTTP POST. Shellcode will also be downloaded and run on the infected appliance.
The weakness, followed as CVE-2018-15982, is present in type 31.0.0.153 and all earlier types of Adobe Flash Player Desktop Runtime, Adobe Flash Player for Google Chrome, and Adobe Flash Player for Microsoft Edge and Internet Explorer 11. Types 31.0.0.108 and earlier of Adobe Flash Player Installer also have the weakness.
Users are suggested to update to type 32.0.0.101 (Type 31.0.0.122 of Adobe Flash Player Installer) as soon as possible. The update also repairs the Insecure Library Loading (DLL hijacking) privilege escalation weakness CVE-2018-15983.