Security researchers observed a widespread and ongoing spam campaign that uses malicious documents to abuse two Flash zero-day vulnerabilities that can allow remote code execution (RCE) and insecure library loading (DLL hijacking). Adobe has deployed the patches needed, but users and companies using legacy systems are advised to update their systems as soon as possible.
The spam campaign distributes the malicious documents via web page downloads, email and instant messaging. A socially engineered email or message is sent to the user containing a .RAR compressed file with a .JPG and Microsoft Word document disguised as an application survey. Opening the document enables the Flash ActiveX control hidden and embedded within the document, displaying a prompt that unpacks the exploit.
Once played, the ActiveX executes the accompanying payload — backup.exe decompressed from inside “scan042.JPG,” supporting shellcodes for 32-bit and 64-bit systems. The payload is a remote access trojan (RAT) extracted from the .JPG to collect system information via HTTP POST, as well as take advantage of the two possible flaws. CVE-2018-15982 can be used for remote code execution and gain admin rights to the infected system once communication to the command and control server (C&C) is established. Meanwhile, CVE-2018-15983 can be used for DLL hijacking for privilege escalation through Flash.
Aside from the .JPG housing the executable file as a possible means to avoid detection, the payload uses VMProtect, a technique previously seen being used to prevent blocking and reverse engineering efforts. The technique is reminiscent of the maneuver employed by the Hacking Team earlier this year.
Cybercriminals will continue finding loopholes for attacks, especially in enterprises that continue to use legacy operating systems. There are still ways to protect your system:
Trend Micro Solutions
Patching is just the beginning of a well-rounded security strategy. The use of multilayered solutions such as Trend Micro™ Deep Discovery™ will help provide detection, in-depth analysis, and proactive response to today’s stealthy malware, and targeted attacks in real-time. It provides a comprehensive defense tailored to protect organizations against targeted attacks and advanced threats through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle.
Trend Micro™ Deep Security™ and Vulnerability Protection provide virtual patching that protects endpoints from threats that abuses vulnerabilities. OfficeScan’s Vulnerability Protection shield endpoints from identified and unknown vulnerability exploits even before patches are deployed.
Trend Micro Deep Security customers are protected under these rules:
1009405 Adobe Flash Player Use After Free Vulnerability (CVE-2018-15982)
1004373 Identified DLL Side Loading Attempt Over Network Share
1009407 Detected Suspicious DLL Side Loading Attempt Over WebDAV
Trend Micro Deep Discovery Inspector (DDI) customers are protected under these rules:
DDI Rule 26 C&C callback attempt
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.