On Wednesday, December 5, 2018, Adobe released an update to rectify a vulnerability in Adobe Flash Player that is being leveraged by a threat group in targeted attacks in Russia. The threat group has previously attacked a healthcare service in Russia that is used by senior civil servants.
The vulnerability was identified by researchers at Gigamon who passed on details of the vulnerability to Adobe in late November. Qihoo 360 scientists lately identified an advanced constant threat campaign that was actively abusing the vulnerability.
The vulnerability is being abused using a particularly created Word document which is being dispersed using a spear phishing campaign. The campaign is extremely targeted; however, it is possible that other threat groups might try to abuse the same vulnerability in bigger, less-targeted campaigns.
The spear-phishing campaign used social engineering methods to deceive the receiver into opening a malicious Word document that impersonated as a worker survey. The document was transmitted as a .rar attachment to the electronic mail, with the compressed file having the document, the exploit, and the payload. The Word document had a malevolent Flash Active X control in the header.
Upon opening the document, the user is presented with a Microsoft Office alerting that the document might be damaging to the computer. If the content is enabled, the malevolent code will be performed, the vulnerability will be abused, and the attacker will gain command line access to the user’s system.
The payload, named backup.exe masquerades as an NVIDIA Control Panel application with a matching icon and (stolen) certificate. If the payload is performed, system information will be collected which will be sent back to the attacker’s distant server through HTTP POST. Shellcode will also be downloaded and run on the infected appliance.
The vulnerability, followed as CVE-2018-15982, is present in type 220.127.116.11 and all earlier types of Adobe Flash Player Desktop Runtime, Adobe Flash Player for Google Chrome, and Adobe Flash Player for Microsoft Edge and Internet Explorer 11. Types 18.104.22.168 and earlier of Adobe Flash Player Installer also have the vulnerability.
Users are suggested to update to type 22.214.171.124 (Type 126.96.36.199 of Adobe Flash Player Installer) as soon as possible. The update also repairs the Insecure Library Loading (DLL hijacking) privilege escalation weakness CVE-2018-15983.