Major browsers have all but shutdown Flash, but advanced hackers have shown how a zero-day Flash Player flaw can be exploited through Office Excel phishing documents.
Adobe has released an update to address four flaws affecting Flash Player, including two critical issues, one of which is already under attack. Usually Adobe updates Flash with Microsoft's Patch Tuesday but the attack likely prompted this release and Adobe is urging users to update from the Adobe Flash Player 188.8.131.52 to the patched version, 184.108.40.206, to block the attack.
The actively exploited Flash flaw, tagged as CVE-2018-5002, is delivered via email in an attached Excel file made to look like recruitment documents relevant to anyone in diplomatic circles in Qatar, according to security firm Iceberg, one of the firms that discovered the attacks.
Opening the Excel file will present a spreadsheet in Arabic language that claims to reveal employee salary adjustments for roles in an embassy, including secretaries, ambassadors, and diplomats.
The attackers used an unusual technique to deliver the Flash exploit, which both helped them bypass the browser blockade on Flash but also helped them evade detection through analysis of malicious code in an Office document.
"The attack loads Adobe Flash Player from within Microsoft Office, which is a popular approach to Flash exploitation since Flash is disabled in many browsers. Attackers typically embed a Flash file within a document, which may contain the entire exploit, or may stage the attack to download exploits and payloads more selectively (e.g. APT28/Sofacy DealersChoice). This leaves, at a minimum, a small Flash loader that defenders can flag for detection and analysts can fingerprint for tracking," writes Iceberg.
Instead of embedding malicious Flash content directly in the Office document, the Excel file calls the exploit in from a remote server. This helps evade detection since the document doesn’t contain any malicious code, and allows the attacker to selectively serve exploits to targets based on IP address, or avoid non-targets based on a regional ISP, a cloud provider or by security product.
Qihoo 360 Core Security, which also discovered the attack, explained the infection chain. After a victim opens the boobytrapped Excel document, the malicious Shock Wave Flash (SWF) file is downloaded from the attacker’s remote server.
The file then requests encrypted data and decryption keys, which are used to unlock and run the 0-day Flash exploit on the victim’s machine. Once the Flash vulnerability is triggered, the file requests malicious shell code from the remote server and executes it on the victim’s machine, which delivers a trojan that most likely establishes a backdoor on the machine.
Qihoo 360 researchers said all clues point to a “typical” advanced persistent threat (APT) attack due to the delivery technique and the attention the attackers paid to naming the domain used to deliver the exploit.
Both firms suspect the targets are based in Qatar because that domain was “people.dohabayt[.]com”, which includes “Doha”, Qatar’s capital. The domain is also similar to a legitimate Middle East recruitment website “bayt[.]com”. Additionally, the malicious Excel document was uploaded to Virus Total from an IP address in Qatar.
Qihoo 360 notes that visiting the command and control domain directly automatically redirects the browser to a Qatar Airways recruitment homepage. The domain was also set up three months ago, suggesting some time went into planning the attack. Besides all these clues, the attackers were willing to use a 0-day exploit that will be less valuable as patches are applied.
Hacking aimed at any nation is hardly a surprise, but Qatar, a US ally, has been at the centre of diplomatic row with many of its Gulf neighbors for the past two years.
This is the latest example of likely state-sponsored hackers finding novel ways to combine Microsoft and Adobe technologies to hack high-value targets. While these attacks don't impact most internet users, the flaws leave enough clues for less discerning cybercriminals to use them in widespread attacks.
Qihoo 360 last month revealed an interesting Internet Explorer "double-kill" exploit that took advantage of a Windows flaw and was likely developed by state-backed hackers that Qihoo said was used against Chinese targets.
Kaspersky Lab researchers rightly speculated that, despite the original intent, the techniques employed in "double-kill" would be adopted by cybercriminals. By the end of May the makers of the RIG exploit kit had integrated the attack to plant cryptocurrency-mining software on as many machines as possible.