Adobe has released an update to address a critical flaw affecting Flash Player that is actively being exploited, otherwise known as a zero-day flaw.
Adobe is urging users to update from Adobe Flash Player 29.0.0.171 to the patched version, 30.0.0.113. It also addresses three other flaws.
An exploit for the flaw, CVE-2018-5002, is stealthily delivered in emailed Excel attachments using a novel technique designed to minimize the risk of detection by antivirus and frustrate forensic analysis.
The flaw was discovered by researchers at security firms Iceberg and Qihoo 360 Core Security, which have provided separate analyses of the techniques.
Instead of embedding malicious Flash content directly in the Office document, which might be detected by analyzing its code, the Excel file calls in the Flash exploit from a remote server.
Iceberg notes that the remote inclusion helps evade detection because the document doesn’t contain any malicious code.
Remotely loading the malicious Flash object also allows the attacker to selectively serve exploits to targets based on IP address, or avoid non-targets based on a regional ISP, a cloud provider, or by security product.
After opening the malicious Excel document, it will request a malicious Shock Wave Flash (SWF) file that is downloaded from an attacker-created domain. The SWF file then requests encrypted data and decryption keys, which the attacker uses to open and run the Flash exploit.
Once the Flash vulnerability is triggered, the file requests malicious shell code from the remote server and executes it on the victim’s machine, which delivers a trojan that probably establishes a back door on the machine.
Iceberg notes the combined use of remote inclusion and public-key cryptography to conceal the exploit makes it extremely difficult for responders to analyze an infection.
All data transmitted from the attacker’s server to the target machine is shielded by a symmetric AES cipher, while the symmetric AES key is protected by an asymmetric RSA cipher.
“To decrypt the data payload, the client decrypts the encrypted AES key using its randomly generated private key, then decrypts the data payload with the decrypted AES key,” wrote Iceberg’s researchers. “The extra layer of public key cryptography, with a randomly generated key, is crucial here. By using it, one must either recover the randomly generated key or crack the RSA encryption to analyze subsequent layers of the attack.
“If implemented correctly, this renders packet capture in forensic analysis and automated security products ineffective. Furthermore, the decrypted data payloads will only reside in memory, challenging traditional disk forensics and non-volatile artifact analysis.”
According to CERT/CC analyst Will Dormann, Adobe’s patch for CVE-2018-5002 introduces a new prompt that warns users of potential security risks before loading remote content. Although the prompt looks like an Office prompt, the warning only appears after applying Adobe’s latest update, Dormann notes.
Microsoft’s advisory for Adobe’s latest update offers instructions for admins to prevent Flash Player from running in Office.
Additionally, the malicious Excel document was uploaded to Virus Total from an IP address in Qatar. And the Excel file’s Arabic language contents suggest the targets include anyone who would be interested in salaries at an embassy with pay details for secretaries, ambassadors, and diplomats.
