Shares tag: CVE-2018-4878 • Shares 1 IOC • Published within a week
Targeted Attacks Against South Korean Entities May Have Been as Early as November 2017
2018-02-02 • Flashpoint-intel •
https://www.flashpoint-intel.com/blog/targeted-attacks-south-korean-entities/
Flashpoint reported that KrCERT warned on January 31, 2018 about Adobe Flash CVE-2018-4878 affecting Flash Player ActiveX 28.0.0.137 and earlier. A South Korean researcher said the exploit was being used against South Korean entities in a Korean cosmetics-themed Excel document and claimed North Korean actor involvement, but Flashpoint noted that the claim was not independently corroborated. Debug metadata suggested exploitation may have started as early as November 14, 2017, with the builder path F:\work\flash\obfuscation\loadswf\src. The archive also preserves detection material, including MD5s, two C2 URLs under Korean domains, and a YARA rule for Office-embedded Flash payloads.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| IPv4 | 28.0.0.137 | 2018-02-02 | 2018-03-14 |
| YARA | crime_ole_loadswf_cve_2018_4878 | 2018-02-02 | 2018-02-02 |
| HASH | 9593d277b42947ef28217325bcc1fe50 | 2018-02-02 | 2018-02-02 |
| HASH | 4c1533cbfb693da14e54e5a92ce6faba | 2018-02-02 | 2018-02-02 |
| HASH | 5f97c5ea28c0401abc093069a50aa1f8 | 2018-02-02 | 2018-02-02 |
| HASH | 1f93c09eed6bb17ec46e63f00bd40ebb | 2018-02-02 | 2018-02-02 |
| URL | http://www.1588-2040.co.kr/desi… | 2018-02-02 | 2018-02-02 |
| URL | http://www.dylboiler.co.kr/admi… | 2018-02-02 | 2018-02-02 |
Related Reports
Shares tag: CVE-2018-4878 • Shares 1 IOC • Published within a week
Shares tag: CVE-2018-4878 • Shares 1 IOC • Published within a week
Shares tag: CVE-2018-4878 • Published within a month
Shares tag: YARA • Published within a month
Shares tag: CVE-2018-4878 • Published within a week