New Campaign Exploits CVE-2018-4878 Anew via Malicious Microsoft Word Documents

On February 6, Adobe released a security update in Flash version 28.0.0.161 meant to address CVE-2018-4878, a zero-day remote code execution vulnerability in Adobe Flash Player that attackers exploited through the use of lure documents sent to victims via phishing emails. While the update was meant to plug the security holes in Adobe Flash, it did not prevent attackers from finding other methods of exploiting the vulnerability, as third party security researchers found out when they discovered a new campaign exploiting CVE-2018-4878.

The campaign involves the use of malicious spam — specifically with a spam email that with an embedded link that directs the recipient to a Microsoft Word lure document (Detected by Trend Micro as TROJ_CVE20184878.A and SWF_CVE20184878.A) stored on the malicious website safe-storage[.]biz. After the file is downloaded and executed, it will prompt the user to enable editing mode to view what’s inside the document. This document is what triggers the exploitation of CVE-2018-4878 — in particular, a cmd.exe window is opened that is remotely injected with a malicious shellcode. The shellcode will then connect back to the malicious domain and then download a DLL file, which is executed via the legitimate Microsoft Register Server tool — a tool used to register DLLs in Windows. Executing it via the tool allows it to bypass whitelisting software.

Although the new campaign employed similar tools and tactics to the original campaign, a few small changes made in how the vulnerability was exploited — altering the encryption algorithm and using Microsoft Word files instead of Microsoft Excel files as lure documents — allowed the attackers to bypass static security solutions. In addition, the exploit used in the new campaign did not have a 64-bit version.

The need for proactive incident response

Despite the efforts of both Adobe and various security providers, the attackers managed to outsmart defenses by implementing small, relatively simple changes to the exploit methods. This shows that, despite the effectivity of traditional security solutions in addressing modern security issues, it has its limitations when it comes to mitigating sophisticated attacks pulled off by determined cybercriminals. Security can often be likened to a cat-and-mouse game, where attackers constantly evolve their tools and tactics to evade security providers, while security providers relentlessly try to update their solutions to counter the exponentially growing number of threats.

The truth is that for many organizations, especially those in industries that are particularly vulnerable to targeted attacks such as the financial industry and healthcare, traditional security solutions may not be enough. The typical IT staff is ill-equipped to take on many modern and sophisticated threats, which can infiltrate an organization’s network and systems unnoticed. Many times, an organization will notice an attack once it has already occurred – which can often be too late and will often come at great costs.

Thus, there is a pressing need to detect and address threats via a proactive incident response strategy – which will involve both remediation, which addresses the threat itself, and round-the- clock intrusion detection and threat analysis. Both the decision makers and tech-savvy personnel of an organization need to sit down and create an effective and comprehensive security strategy with the goal of not just being able to respond to threats after the fact, but to protect their networks by investigating, detecting and responding to threats in a proactive manner.

Trend Micro Solutions

Trend Micro™ Deep Security protect user systems from any threat that might target the aforementioned vulnerabily via the following DPI rule:

  • 1008854-Adobe Flash Player Remote Code Execution Vulnerability (CVE-2018-4878)
HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.