{"id":11377,"date":"2018-02-05T14:10:05","date_gmt":"2018-02-05T22:10:05","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/02\/05\/news-5148\/"},"modified":"2018-02-05T14:10:05","modified_gmt":"2018-02-05T22:10:05","slug":"news-5148","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/02\/05\/news-5148\/","title":{"rendered":"New Flash Player zero-day comes inside Office document"},"content":{"rendered":"<p><strong>Credit to Author: J\u00e9r\u00f4me Segura| Date: Mon, 05 Feb 2018 20:55:16 +0000<\/strong><\/p>\n<p>A new Flash Player zero-day has been found in recent targeted attacks, as <a href=\"https:\/\/www.krcert.or.kr\/data\/secNoticeView.do?bulletin_writing_sequence=26998\" target=\"_blank\" rel=\"noopener\">reported by KrCERT<\/a>. The flaw, which exists in\u00a0Flash Player 28.0.0.137 and earlier versions, allows an attacker to remotely execute malicious code. On February 1, Adobe published a <a href=\"https:\/\/helpx.adobe.com\/security\/products\/flash-player\/apsa18-01.html\" target=\"_blank\" rel=\"noopener\">security advisory<\/a> acknowledging this zero-day:<\/p>\n<blockquote>\n<p>Adobe is aware of a report that an exploit for CVE-2018-4878 exists in the wild, and is being used in limited, targeted attacks against Windows users. These attacks leverage Office documents with embedded malicious Flash content distributed via email.<\/p>\n<\/blockquote>\n<p>Threat actors used a decoy Microsoft Excel document to lure their intended target (some South Korea users) in order to infect them with a remote administration tool named ROKRAT.\u00a0While not obvious at first, an ActiveX object has been embedded into the document and contains the Flash exploit. Highlighting cells reveals a small white rectangle that represents the embedded object:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-21454\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/02\/ActiveX.png\" alt=\"\" width=\"756\" height=\"783\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/02\/ActiveX.png 756w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/02\/ActiveX-290x300.png 290w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/02\/ActiveX-579x600.png 579w\" sizes=\"auto, (max-width: 756px) 100vw, 756px\" \/><\/p>\n<p>Upon opening the spreadsheet, one of several South Korean websites will be contacted via a GET request containing the following three parameters:<\/p>\n<ul>\n<li>a unique identifier<\/li>\n<li>the Flash Player version<\/li>\n<li>the Operating System version<\/li>\n<\/ul>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/02\/URL_request.png\" data-rel=\"lightbox-0\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-21453\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/02\/URL_request.png\" alt=\"\" width=\"900\" height=\"596\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/02\/URL_request.png 900w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/02\/URL_request-300x199.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/02\/URL_request-600x397.png 600w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><\/a><\/p>\n<p>This is an important step because it retrieves a key used to decrypt the malicious shell code.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/02\/decrypt.png\" data-rel=\"lightbox-1\" title=\"\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-21455\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/02\/decrypt.png\" alt=\"\" width=\"499\" height=\"466\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/02\/decrypt.png 499w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/02\/decrypt-300x280.png 300w\" sizes=\"auto, (max-width: 499px) 100vw, 499px\" \/><\/a><\/p>\n<p>By the time we had access to this sample, the websites hosting it were down, which proved to be a showstopper in the exploitation and payload. <a href=\"http:\/\/www.malwarebytes.com\/premium\" target=\"_blank\" rel=\"noopener\">Malwarebytes<\/a> detects the remote administration tool that was dropped, as well as blocks the sites known to have hosted the key and payload.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-21448\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2018\/02\/CVE-2018-4878.gif\" alt=\"\" width=\"931\" height=\"684\" \/><\/p>\n<p>Adobe has said it will issue a patch for this zero-day sometime during the week of February 5. In the meantime, users are advised to disable or uninstall the Flash Player. We expect that this exploit will be used in larger scale attacks, including via malicious spam. We will keep you updated of any further developments.<\/p>\n<h3><strong>Indicators of compromise<\/strong><\/h3>\n<pre>1588-2040.co[.]kr\/design\/m\/images\/image\/image.php?<\/pre>\n<p>SWF exploit<\/p>\n<pre>FEC71B8479F3A416FA58580AE76A8C731C2294C24663C601A1267E0E5C2678A0<\/pre>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2018\/02\/new-flash-player-zero-day-comes-inside-office-document\/\">New Flash Player zero-day comes inside Office document<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2018\/02\/new-flash-player-zero-day-comes-inside-office-document\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: J\u00e9r\u00f4me Segura| Date: Mon, 05 Feb 2018 20:55:16 +0000<\/strong><\/p>\n<table cellpadding='10'>\n<tr>\n<td valign='top' align='center'><a href='https:\/\/blog.malwarebytes.com\/cybercrime\/2018\/02\/new-flash-player-zero-day-comes-inside-office-document\/' title='New Flash Player zero-day comes inside Office document'><img src='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2015\/07\/Flash_Player_Banner.jpg' border='0'  width='300px'  \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign='top' align='left'>Threat actors are targeting South Korea with a Flash Player zero-day in limited attacks, according to Adobe.<\/p>\n<p>Categories: <\/p>\n<ul class=\"post-categories\">\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/cybercrime\/\" rel=\"category tag\">Cybercrime<\/a><\/li>\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/cybercrime\/exploits\/\" rel=\"category tag\">Exploits<\/a><\/li>\n<\/ul>\n<p>Tags: <a href=\"https:\/\/blog.malwarebytes.com\/tag\/cve-2018-4878\/\" rel=\"tag\">CVE-2018-4878<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/flash-player-zero-day\/\" rel=\"tag\">Flash Player zero-day<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/korean\/\" rel=\"tag\">Korean<\/a><\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/blog.malwarebytes.com\/cybercrime\/2018\/02\/new-flash-player-zero-day-comes-inside-office-document\/' title='New Flash Player zero-day comes inside Office document'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2018\/02\/new-flash-player-zero-day-comes-inside-office-document\/\">New Flash Player zero-day comes inside Office document<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[17393,4503,10987,17394,17419],"class_list":["post-11377","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-cve-2018-4878","tag-cybercrime","tag-exploits","tag-flash-player-zero-day","tag-korean"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11377","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=11377"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11377\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=11377"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=11377"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=11377"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}