On Wednesday, December 5, 2018, Adobe issued an update to correct a vulnerability in Adobe Flash Player that is being leveraged by a threat group in targeted attacks in Russia. The threat group has already attacked a healthcare facility in Russia that is used by senior civil servants.
The vulnerability was identified by researchers at Gigamon who passed on details of the vulnerability to Adobe in late November. Qihoo 360 researchers recently identified an advanced persistent threat campaign that was actively exploiting the vulnerability.
The vulnerability is being exploited using a specially crafted Word document which is being distributed using a spear phishing campaign. The campaign is highly targeted; however, it is probably that other threat groups may attempt to exploit the same vulnerability in larger, less-targeted campaigns.
The spear phishing campaign used social engineering techniques to fool the recipient into opening a malicious Word document that masqueraded as an employee questionnaire. The document was sent as a .rar attachment to the email, with the compressed file containing the document, the exploit, and the payload. The Word document contained a malicious Flash Active X control in the header.
Upon opening the document, the user is presented with a Microsoft Office warning that the document may be harmful to the computer. If the content is enabled, malicious code will be executed, the vulnerability will be exploited, and the attacker will gain command line access to the user’s system.
The payload, called backup.exe masquerades as an NVIDIA Control Panel application with a matching icon and (stolen) certificate. If the payload is executed, system information will be collected which will be sent back to the attacker’s remote server via HTTP POST. Shell code will also be downloaded and run on the infected device.
The vulnerability, tracked as CVE-2018-15982, is present in version 18.104.22.168 and all earlier versions of Adobe Flash Player Desktop Runtime, Adobe Flash Player for Google Chrome, and Adobe Flash Player for Microsoft Edge and Internet Explorer 11. Versions 22.214.171.124 and earlier of Adobe Flash Player Installer also have the vulnerability.
Users are advised to update to version 126.96.36.199 (Version 188.8.131.52 of Adobe Flash Player Installer) as soon as possible. The update also fixes the Insecure Library Loading (DLL hijacking) privilege escalation vulnerability CVE-2018-15983.