{"id":14007,"date":"2018-12-05T15:10:03","date_gmt":"2018-12-05T23:10:03","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/12\/05\/news-7774\/"},"modified":"2018-12-05T15:10:03","modified_gmt":"2018-12-05T23:10:03","slug":"news-7774","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2018\/12\/05\/news-7774\/","title":{"rendered":"New Flash Player zero-day used against Russian facility"},"content":{"rendered":"

Credit to Author: J\u00e9r\u00f4me Segura| Date: Wed, 05 Dec 2018 22:44:59 +0000<\/strong><\/p>\n

For the past couple of years, Office documents have largely replaced exploit kits<\/a> as the primary malware delivery vector, giving threat actors the choice between social engineering lures and exploits or a combination of both.<\/p>\n

While today’s malicious spam (<\/a>malspam) heavily relies on macros and popular vulnerabilities (i.e. CVE-2017-11882<\/a>), attackers can also resort to zero-days<\/a> when trying to compromise a target of interest.<\/p>\n

In separate blog posts, Gigamon<\/a> and 360 Core Security<\/a> reveal how a new zero-day (CVE-2018-15982<\/a>) for the Flash Player (version 31.0.0.153 and earlier) was recently used in targeted attacks. Despite being a brand new vulnerability, Malwarebytes users were already protected against it thanks to our Anti-Exploit technology.<\/p>\n

The Flash object is embedded into an Office document disguised as a questionnaire from a Moscow-based clinic.<\/p>\n

\"\"<\/a><\/p>\n

A dot reveals an embedded (and hidden) ActiveX object<\/p>\n<\/div>\n

Since Flash usage in web browsers has been declining over the past few years, the preferred scenario is one where a Flash ActiveX control is embedded in an Office file. This is something we saw earlier this year with CVE-2018-4878<\/a> against South Korea.<\/p>\n

Victims open the booby-trapped document from a WinRAR archive that also contains a bogus jpeg file (shellcode) that will be used as part of the exploitation process that eventually loads a backdoor.<\/p>\n

\"\"<\/a><\/p>\n

Zero-day attack flow stopped by Malwarebytes<\/a><\/p>\n<\/div>\n

As Qihoo 360 security researchers noted, the timing with this zero-day attack is close to a recent\u00a0real-world incident<\/a> between\u00a0Russia and Ukraine. Cyberattacks between the two countries have been going on for years and have affected major infrastructure, such as the power grid<\/a>.<\/p>\n

Malwarebytes users were already protected against this zero-day without the need to update any signatures. We detect the malware payload as\u00a0Trojan.CrisisHT.APT.<\/p>\n

Adobe has patched this vulnerability (security bulletin APSB18-42<\/a>) and it is highly recommended to apply this patch if you are still using Flash Player. Following the typical exploit-patch cycle, zero-days often become mainstream once other attackers get their hands on the code. For this reason, we can expect to see this exploit integrated into document exploit kits as well as web exploit kits in the near future.<\/p>\n

The post New Flash Player zero-day used against Russian facility<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n

https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: J\u00e9r\u00f4me Segura| Date: Wed, 05 Dec 2018 22:44:59 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
An APT group is using a new Flash Player zero-day that was used a lure targeting a Russian-based clinic<\/p>\n

Categories: <\/p>\n