Adobe 0-days used for IEEE aerospace spearphishing attacks
- — 11 February, 2013 09:49
Attackers using the zero day Adobe Flash flaws patched last week delivered the exploits with a spearphishing email aimed at the aerospace sector, according to security researchers.
Security firm Alien Vault on Friday published details confirming the exploits underpinned a targeted campaign against US aerospace companies and industry.
Adobe’s patch last Friday fixed one zero day being exploited with malicious embedded Flash content in Microsoft Office documents for Windows that were delivered as emailed attachments.
According to Jaime Blasco, director of Alienvault Labs, one of the Office attachments that carried the Flash exploit was a 2013 Institute of Electrical and Electronics Engineers (IEEE) Aerospace Conference schedule.
2013 IEEE Aerospace Conference schedule. Image credit: AlienVault.
Another attack document used an “Employee Quick Reference Guide” made to appear to come from the US payments processing giant Automatic Data Processing (ADP), a company with 600,000 clients, including multinationals such as Alcoa.
The other zero exploit day targeted Macs via a malicious Flash (SWF) hosted on websites that exploited Flash in Firefox or Safari. Adobe credited the CERT of aerospace giant Lockheed Martin for discovering that exploit, giving some indication of the calibre of target the hackers were seeking.
Security firm FireEye first detected the exploit on February 5, 2013 and notes in its analysis that the codepage of the Word files used in the attacks are “Windows Simplified Chinese (PRC, Singapore).”
The executables were signed with a fake certificate from South Korean gaming company MGAME, that was also used to sign PlugX remote access tool (RAT) in past attacks on NGOs, according to AlienVault.
Two oddities of the malware were a coding reference to “Lady Boyle”, a character in the adventure game, “Dishonored”. The authors also failed to obfuscate the malicious Flash file, leaving it open to detection by generic antivirus signatures.
“It is odd and sloppy for a threat attempting industrial espionage,” FireEye researchers Josh Gomez, Thoufique Haq, and Yichong Lin noted.