Security researchers observed a widespread and ongoing spam campaign that uses malicious documents to abuse two Flash zero-day vulnerabilities that can allow remote code execution (RCE) and insecure library loading (DLL hijacking). Adobe has deployed the patches needed, but users and companies using legacy systems are advised to update their systems as soon as possible.
The spam campaign distributes the malicious documents via web page downloads, email and instant messaging. A socially engineered email or message is sent to the user containing a .RAR compressed file with a .JPG and Microsoft Word document disguised as an application survey. Opening the document enables the Flash ActiveX control hidden and embedded within the document, displaying a prompt that unpacks the exploit.
Once played, the ActiveX executes the accompanying payload — backup.exe decompressed from inside “scan042.JPG,” supporting shellcodes for 32-bit and 64-bit systems. The payload is a remote access trojan (RAT) extracted from the .JPG to collect system information via HTTP POST, as well as take advantage of the two possible flaws. CVE-2018-15982 can be used for remote code execution and gain admin rights to the infected system once communication to the command and control server (C&C) is established. Meanwhile, CVE-2018-15983 can be used for DLL hijacking for privilege escalation through Flash.
Aside from the .JPG housing the executable file as a possible means to avoid detection, the payload uses VMProtect, a technique previously seen being used to prevent blocking and reverse engineering efforts. The technique is reminiscent of the maneuver employed by the Hacking Team earlier this year.
Cybercriminals will continue finding loopholes for attacks, especially in enterprises that continue to use legacy operating systems. There are still ways to protect your system:
Update your systems with the latest patches to prevent abuse of vulnerabilities.
If patches are unavailable, make sure to download available virtual patches.
Trend Micro Solutions
Patching is just the beginning of a well-rounded security strategy. The use of multilayered solutions such as Trend Micro™ Deep Discovery™ will help provide detection, in-depth analysis, and proactive response to today’s stealthy malware, and targeted attacks in real-time. It provides a comprehensive defense tailored to protect organizations against targeted attacks and advanced threats through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle.