Targeted Attacks Against South Korean Entities May Have Been as Early as November 2017
Contents
Blog
Targeted Attacks Against South Korean Entities May Have Been as Early as November 2017
On January 31, 2018, KrCERT/CC, the Republic of Korea’s (South Korea) Computer Emergency Response Team, released a notice regarding an Adobe Flash vulnerability, designated CVE-2018-4878. The notice stated that this zero-day vulnerability affects all versions of Adobe Flash Player ActiveX up to 28.0.0.137, which Adobe released on January 9, 2018. KrCERT/CC recommended uninstalling Flash Player and refraining from using Internet Explorer until Adobe releases a patch addressing the zero-day.
On January 31, 2018, KrCERT/CC, the Republic of Korea’s (South Korea) Computer Emergency Response Team, released a notice regarding an Adobe Flash vulnerability, designated CVE-2018-4878. The notice stated that this zero-day vulnerability affects all versions of Adobe Flash Player ActiveX up to 28.0.0.137, which Adobe released on January 9, 2018. KrCERT/CC recommended uninstalling Flash Player and refraining from using Internet Explorer until Adobe releases a patch addressing the zero-day.
At …
Targeted Attacks Against South Korean Entities May Have Been as Early as November 2017
On January 31, 2018, KrCERT/CC, the Republic of Korea’s (South Korea) Computer Emergency Response Team, released a notice regarding an Adobe Flash vulnerability, designated CVE-2018-4878. The notice stated that this zero-day vulnerability affects all versions of Adobe Flash Player ActiveX up to 28.0.0.137, which Adobe released on January 9, 2018. KrCERT/CC recommended uninstalling Flash Player and refraining from using Internet Explorer until Adobe releases a patch addressing the zero-day.
On January 31, 2018, KrCERT/CC, the Republic of Korea’s (South Korea) Computer Emergency Response Team, released a notice regarding an Adobe Flash vulnerability, designated CVE-2018-4878. The notice stated that this zero-day vulnerability affects all versions of Adobe Flash Player ActiveX up to 28.0.0.137, which Adobe released on January 9, 2018. KrCERT/CC recommended uninstalling Flash Player and refraining from using Internet Explorer until Adobe releases a patch addressing the zero-day.
At …
IoC
1F93C09EED6BB17EC46E63F00BD40EBB
28.0.0.137
4C1533CBFB693DA14E54E5A92CE6FABA
5f97c5ea28c0401abc093069a50aa1f8
9593d277b42947ef28217325bcc1fe50
http://www.1588-2040.co.kr/design/m/images/image/image.php
http://www.dylboiler.co.kr/admincenter/files/boad/4/manager.php
https://www.krcert.or.kr/data/secNoticeView.do?bulletin_writing_sequence=26998
rule crime_ole_loadswf_cve_2018_4878
{
meta:
// DESCRIPTION
description = “Detects CVE-2018-4878”
vuln_type = “Remote Code Execution”
vuln_impact = “Use-after-free”
affected_versions = “Adobe Flash 28.0.0.137 and earlier versions”
mitigation0 = “Implement Protected View for Office documents”
mitigation1 = “Disable Adobe Flash”
weaponization = “Embedded in Microsoft Office first payloads”
actor = “Purported North Korean actors”
reference = “hxxps://www[.]krcert[.]or[.kr/data/secNoticeView.do?bulletin_writing_sequence=26998”
author = “Vitali Kremez, Flashpoint”
version = “1.1″
strings:
// EMBEDDED FLASH OBJECT BIN HEADER
$header = “rdf:RDF” wide ascii
// OBJECT APPLICATION TYPE TITLE
$title = “Adobe Flex” wide ascii
// PDB PATH
$pdb = “F:\work\flash\obfuscation\loadswf\src” wide ascii
// LOADER STRINGS
$s0 = “URLRequest” wide ascii
$s1 = “URLLoader” wide ascii
$s2 = “loadswf” wide ascii
$s3 = “myUrlReqest” wide ascii
condition:
all of ($header*) and all of ($title*) and 3 of ($s*) or all of ($pdb*) and all of ($header*) and 1 of ($s*)
}
28.0.0.137
4C1533CBFB693DA14E54E5A92CE6FABA
5f97c5ea28c0401abc093069a50aa1f8
9593d277b42947ef28217325bcc1fe50
http://www.1588-2040.co.kr/design/m/images/image/image.php
http://www.dylboiler.co.kr/admincenter/files/boad/4/manager.php
https://www.krcert.or.kr/data/secNoticeView.do?bulletin_writing_sequence=26998
rule crime_ole_loadswf_cve_2018_4878
{
meta:
// DESCRIPTION
description = “Detects CVE-2018-4878”
vuln_type = “Remote Code Execution”
vuln_impact = “Use-after-free”
affected_versions = “Adobe Flash 28.0.0.137 and earlier versions”
mitigation0 = “Implement Protected View for Office documents”
mitigation1 = “Disable Adobe Flash”
weaponization = “Embedded in Microsoft Office first payloads”
actor = “Purported North Korean actors”
reference = “hxxps://www[.]krcert[.]or[.kr/data/secNoticeView.do?bulletin_writing_sequence=26998”
author = “Vitali Kremez, Flashpoint”
version = “1.1″
strings:
// EMBEDDED FLASH OBJECT BIN HEADER
$header = “rdf:RDF” wide ascii
// OBJECT APPLICATION TYPE TITLE
$title = “Adobe Flex” wide ascii
// PDB PATH
$pdb = “F:\work\flash\obfuscation\loadswf\src” wide ascii
// LOADER STRINGS
$s0 = “URLRequest” wide ascii
$s1 = “URLLoader” wide ascii
$s2 = “loadswf” wide ascii
$s3 = “myUrlReqest” wide ascii
condition:
all of ($header*) and all of ($title*) and 3 of ($s*) or all of ($pdb*) and all of ($header*) and 1 of ($s*)
}