Adobe 0-days used for IEEE aerospace spearphishing attacks

Attackers using the zero day Adobe Flash flaws patched last week delivered the exploits with a spearphishing email aimed at the aerospace sector, according to security researchers.

Security firm Alien Vault on Friday published details confirming the exploits underpinned a targeted campaign against US aerospace companies and industry.

Adobe’s patch last Friday fixed one zero day being exploited with malicious embedded Flash content in Microsoft Office documents for Windows that were delivered as emailed attachments.

According to Jaime Blasco, director of Alienvault Labs, one of the Office attachments that carried the Flash exploit was a 2013 Institute of Electrical and Electronics Engineers (IEEE) Aerospace Conference schedule.

2013 IEEE Aerospace Conference schedule. Image credit: AlienVault.

Another attack document used an “Employee Quick Reference Guide” made to appear to come from the US payments processing giant Automatic Data Processing (ADP), a company with 600,000 clients, including multinationals such as Alcoa.

The other zero exploit day targeted Macs via a malicious Flash (SWF) hosted on websites that exploited Flash in Firefox or Safari. Adobe credited the CERT of aerospace giant Lockheed Martin for discovering that exploit, giving some indication of the calibre of target the hackers were seeking.

Security firm FireEye first detected the exploit on February 5, 2013 and notes in its analysis that the codepage of the Word files used in the attacks are “Windows Simplified Chinese (PRC, Singapore).”

The executables were signed with a fake certificate from South Korean gaming company MGAME, that was also used to sign PlugX remote access tool (RAT) in past attacks on NGOs, according to AlienVault.

Two oddities of the malware were a coding reference to “Lady Boyle”, a character in the adventure game, “Dishonored”. The authors also failed to obfuscate the malicious Flash file, leaving it open to detection by generic antivirus signatures.

“It is odd and sloppy for a threat attempting industrial espionage,” FireEye researchers Josh Gomez, Thoufique Haq, and Yichong Lin noted.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Tags adobeIEEE


Comments are now closed

CSO Corporate Partners
  • f5
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

ZENworks® Endpoint Security Management

Protect against bugs in USB Storage devices

Security Awareness Tip
Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.