Patch Now: Adobe Flash Zero-Days Spread Via Spam

Security researchers observed a widespread and ongoing spam campaign that uses malicious documents to abuse two Flash zero-day vulnerabilities that can allow remote code execution (RCE) and insecure library loading (DLL hijacking). Adobe has deployed the patches needed, but users and companies using legacy systems are advised to update their systems as soon as possible.

[Read: Virtual Patching: Patch those vulnerabilities before they can be exploited]

The spam campaign distributes the malicious documents via web page downloads, email and instant messaging. A socially engineered email or message is sent to the user containing a .RAR compressed file with a .JPG and Microsoft Word document disguised as an application survey. Opening the document enables the Flash ActiveX control hidden and embedded within the document, displaying a prompt that unpacks the exploit.

Once played, the ActiveX executes the accompanying payload — backup.exe decompressed from inside “scan042.JPG,” supporting shellcodes for 32-bit and 64-bit systems. The payload is a remote access trojan (RAT) extracted from the .JPG to collect system information via HTTP POST, as well as take advantage of the two possible flaws. CVE-2018-15982 can be used for remote code execution and gain admin rights to the infected system once communication to the command and control server (C&C) is established. Meanwhile, CVE-2018-15983 can be used for DLL hijacking for privilege escalation through Flash.

Aside from the .JPG housing the executable file as a possible means to avoid detection, the payload uses VMProtect, a technique previously seen being used to prevent blocking and reverse engineering efforts. The technique is reminiscent of the maneuver employed by the Hacking Team earlier this year.

[Read: Patch now: New Mirai, Gafgyt variants target 16 flaws via multi-exploits]

Most systems no longer require Flash to load media such as documents, games and videos. Technology trend usage of Flash is on a constant angled decline, as opposed to other programming languages such as JavaScript and Silverlight. However, Microsoft Office and other legacy systems can still load and execute Flash content, allowing vulnerabilities in the software to remain available as an exploit vector. The critical flaw affects Adobe Flash Player Desktop Runtime, Adobe Flash Player for Google Chrome, Microsoft Edge and Internet Explorer 11, all versions of Adobe Flash Player and earlier, and Adobe Flash Player Installer versions and earlier. Adobe was reportedly notified on November 29, and were informed of the deployed solutions promptly.

[Read: Patching problems and how to solve them]

Cybercriminals will continue finding loopholes for attacks, especially in enterprises that continue to use legacy operating systems. There are still ways to protect your system:

  • Update your systems with the latest patches to prevent abuse of vulnerabilities.
  • If patches are unavailable, make sure to download available virtual patches.


Trend Micro Solutions

Patching is just the beginning of a well-rounded security strategy. The use of multilayered solutions such as Trend Micro™ Deep Discovery™ will help provide detection, in-depth analysis, and proactive response to today’s stealthy malware, and targeted attacks in real-time. It provides a comprehensive defense tailored to protect organizations against targeted attacks and advanced threats through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle.

Trend Micro™ Deep Security™ and Vulnerability Protection provide virtual patching that protects endpoints from threats that abuses vulnerabilities. OfficeScan’s Vulnerability Protection shield endpoints from identified and unknown vulnerability exploits even before patches are deployed.

Trend Micro Deep Security customers are protected under these rules:

1009405              Adobe Flash Player Use After Free Vulnerability (CVE-2018-15982)

1004373              Identified DLL Side Loading Attempt Over Network Share  

1009407              Detected Suspicious DLL Side Loading Attempt Over WebDAV

Trend Micro Deep Discovery Inspector (DDI) customers are protected under these rules:

DDI Rule 26         C&C callback attempt


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.