CIO

Exploit kits once again ride Flash Player flaws to attack Windows

  • Liam Tung (CSO Online)
  • 10 April, 2018 07:14

Adobe’s Flash Player might be on the way out and exploit kits have taken a backseat to cryptominers, but cybercriminals are still finding ways to harness the potent pairing.

Developers of the once highly active RIG exploit kit have now added the remote code execution in Flash Player — CVE-2018-4878 — that Adobe rushed out a patch for in February. Prior to the patch, the flaw was being used by suspected North Korean hackers to target South Korean users.    

A malware researcher who uses the Twitter ID nao_sec spotted RIG attacking Flash Player in Internet Explorer 11 on Windows 7 today. 

The attack works against versions of Flash Player prior to 28.0.0.137, the version Adobe released in February.  

Customers of RIG apparently had been complaining that the developers hadn’t yet integrated CVE-2018-4878 as so many rival exploits have already done over the past month. 

The Magnitude exploit kit this month added the same Flash exploit to its kit, which typically uses malicious ads to deliver the Magniber ransomware, according to malware researcher Kafeine. Magniber is a fairly new strain of ransomware that shares some features with the better known Cerber ransomware and historically been used to exclusively to target South Korean Windows users.

GreenFlash Sundown, a variant of the Sundown exploit kit, also gained the Flash Player exploit in early March and has been using it to deliver the Hermes 2.1 ransomware to Windows 7 PCs. 

Other cybercriminal businesses have hopped on the February Flash exploit too. Security firm Proofpoint found that the makers of the ThreadKit exploit builder program bundled the Flash attack in March, along with a fresh Office exploit identified as CVE-2018-0802. 

As Proofpoint noted recently, the ThreadKit tool emerged in mid-2017 and is helping put powerful exploits for widely used software in the hands of low-skilled threat actors. 

The group has gained a reputation for quickly incorporating the latest Office exploits into the exploit builder kit.         

The wider adoption of this particular Flash exploit followed a massive malicious spam campaign in late February that sought to catch out businesses that hadn't applied the updates. 

Researchers at Morphisec found that attackers were spreading several links generated by Google’s now deprecated URL shortener, which if clicked on led users to a Word document that loads a malicious SWF Flash file designed to attack the Flash flaw.