Flash 0 Day In The Wild: Group 123 At The Controls
Contents
This blog post is authored by Warren Mercer and Paul Rascagneres.
Executive Summary
The 1st of February, Adobe published an advisory concerning a Flash vulnerability (CVE-2018-4878). This vulnerability is a use after free that allows Remote Code Execute through a malformed Flash object. Additionally KISA (Korean CERT) published an advisory about a Flash 0-day used in the wild. Talos identified that an attacker exploited this vulnerability with a Flash object embedded in a Microsoft Excel document. By opening the document, the exploit was executed in order to download an additional payload from a compromised website.
We identified that the downloaded payload is the well-known Remote Administration Tool named ROKRAT. We already extensively spoke about this RAT on several articles in this blog: here, here, here and here. It is particularity used with cloud platforms in order to exfiltrate documents and manage infected systems.
Flash 0-Day: CVE-2018-4878
The campaign started by a malicious Microsoft Excel sheet:
This …
Executive Summary
The 1st of February, Adobe published an advisory concerning a Flash vulnerability (CVE-2018-4878). This vulnerability is a use after free that allows Remote Code Execute through a malformed Flash object. Additionally KISA (Korean CERT) published an advisory about a Flash 0-day used in the wild. Talos identified that an attacker exploited this vulnerability with a Flash object embedded in a Microsoft Excel document. By opening the document, the exploit was executed in order to download an additional payload from a compromised website.
We identified that the downloaded payload is the well-known Remote Administration Tool named ROKRAT. We already extensively spoke about this RAT on several articles in this blog: here, here, here and here. It is particularity used with cloud platforms in order to exfiltrate documents and manage infected systems.
Flash 0-Day: CVE-2018-4878
The campaign started by a malicious Microsoft Excel sheet:
This …
IoC
3b1395f620e428c5f68c6497a2338da0c4f749feb64e8f12e4c5b1288cc57a1c
E1546323dc746ed2f7a5c973dcecc79b014b68bdd8a6230239283b4f775f4bbd
fec71b8479f3a416fa58580ae76a8c731c2294c24663c601a1267e0e5c2678a0
http://www.1588-2040.co.kr/conf/product_old.jpg
http://www.1588-2040.co.kr/design/m/images/image/image.php
http://www.dylboiler.co.kr/admincenter/files/board/4/manager.php
http://www.korea-tax.info/main/local.php
E1546323dc746ed2f7a5c973dcecc79b014b68bdd8a6230239283b4f775f4bbd
fec71b8479f3a416fa58580ae76a8c731c2294c24663c601a1267e0e5c2678a0
http://www.1588-2040.co.kr/conf/product_old.jpg
http://www.1588-2040.co.kr/design/m/images/image/image.php
http://www.dylboiler.co.kr/admincenter/files/board/4/manager.php
http://www.korea-tax.info/main/local.php