Hermes ransomware distributed to South Koreans via recent Flash zero-day
Contents
This blog post was authored by @hasherezade, Jérôme Segura and Vasilios Hioureas.
At the end of January, the South Korean Emergency Response Team (KrCERT) published news of a Flash Player zero-day used in targeted attacks. The flaw, which exists in Flash Player 28.0.0.137 and below, was distributed via malicious Office documents containing the embedded Flash exploit. Only a couple of weeks after the public announcement, spam campaigns were already beginning to pump out malicious Word documents containing the newly available exploit.
While spam has been an active distribution channel for some time now, the news of a Flash exploit would most certainly interest exploit kit authors as well. Indeed, in our previous blog post about this vulnerability (CVE-2018-4878), we showed how trivial it was to use an already available Proof-of-Concept and package it as as a drive-by download instead.
On March 9th, MDNC discovered that a less common, but more sophisticated exploit kit …
At the end of January, the South Korean Emergency Response Team (KrCERT) published news of a Flash Player zero-day used in targeted attacks. The flaw, which exists in Flash Player 28.0.0.137 and below, was distributed via malicious Office documents containing the embedded Flash exploit. Only a couple of weeks after the public announcement, spam campaigns were already beginning to pump out malicious Word documents containing the newly available exploit.
While spam has been an active distribution channel for some time now, the news of a Flash exploit would most certainly interest exploit kit authors as well. Indeed, in our previous blog post about this vulnerability (CVE-2018-4878), we showed how trivial it was to use an already available Proof-of-Concept and package it as as a drive-by download instead.
On March 9th, MDNC discovered that a less common, but more sophisticated exploit kit …
IoC
[email protected]
[email protected]
159.65.131.94
207.148.104.5
237eee069c1df7b69cee2cc63dee24e6
28.0.0.137
A5A0964B1308FDB0AEB8BD5B2A0F306C99997C7C076D66EB3EBCDD68405B1DA2
http://159.65.131.94
http://207.148.104.5
http://accompanied.bannerexposure.info
http://aquaadvertisement.com
http://assessed.secondadvertisements.com
http://bannerssale.com
http://gmail.com
http://hunting.bannerexposure.info
http://keemail.me
http://marketing.roadadvertisements.com
http://name.secondadvertisements.com
http://staradvertsment.com
http://switzerland.innovativebanner.info
http://technologies.roadadvertisements.com
[email protected]
159.65.131.94
207.148.104.5
237eee069c1df7b69cee2cc63dee24e6
28.0.0.137
A5A0964B1308FDB0AEB8BD5B2A0F306C99997C7C076D66EB3EBCDD68405B1DA2
http://159.65.131.94
http://207.148.104.5
http://accompanied.bannerexposure.info
http://aquaadvertisement.com
http://assessed.secondadvertisements.com
http://bannerssale.com
http://gmail.com
http://hunting.bannerexposure.info
http://keemail.me
http://marketing.roadadvertisements.com
http://name.secondadvertisements.com
http://staradvertsment.com
http://switzerland.innovativebanner.info
http://technologies.roadadvertisements.com