Attackers are using malicious Office documents to target users in the Middle East with exploits for an Adobe Flash vulnerability that allows an attacker to run arbitrary code on a compromised machine.
The vulnerability is a stack buffer overflow and Adobe released a patch for it earlier this week. But researchers have identified some targeted attacks that are going after this flaw with rigged Microsoft Office documents that use a multipart exploit chain. The technique that the attackers are using in this case loads the malicious Flash content remotely rather than embedding it directly in the Office document, according to an analysis by researchers at ICEBRG, who first discovered the vulnerability and reported it to Adobe.
“The first stage SWF includes a RSA+AES cryptosystem that protects the subsequent SWF stage, containing the actual exploit, which it downloads and executes. Appropriate use of asymmetric cryptography, like RSA, evades traditional defenses such as replay-based network security devices and prevents a post-mortem network packet capture analysis,” the analysis says.
“The second SWF stage, after exploiting the system and achieving code execution, uses the same cryptosystem to download and execute shellcode to further enable the threat actor to control the victim machine. Typically, the final payload consists of shellcode that provides backdoor functionality to the system or stages additional tools.”
Flash vulnerabilities have long been quite valuable for many classes of attackers because of Flash’s huge installed base. However, in the last few years vendors have been gradually phasing Flash out of their browsers and some now block it by default because of the security issues it presents. That means attackers have had to find new ways to go about targeting Flash if they’re still interested. The technique that the ICEBRG researchers described shows that some attackers are still interested in Flash and are developing novel ways to go after it.
“The attack loads Adobe Flash Player from within Microsoft Office, which is a popular approach to Flash exploitation since Flash is disabled in many browsers. Attackers typically embed a Flash file within a document, which may contain the entire exploit, or may stage the attack to download exploits and payloads more selectively,” Chenming Xu, Jason Jones, Justin Warner, and Dan Caselden, of ICEBRG said in their analysis.
The attackers who have been exploiting this vulnerability appear to be targeting users in Qatar, using a specific domain as the lure. The phishing document used in the attacks is posing as a memo on salary adjustments for people in the diplomatic service.
“Within the document, the threat actor utilizes the domain “dohabayt[.]com” for malicious content which also reveals additional clues as to the intended target. When broken down into parts, the domain indicates a possible targeting of Qatar interests. The first part contains “doha”, which is the capital of Qatar. The second part also may be mimicking the legitimate Middle Eastern job search site “bayt[.]com” in a further attempt to blend in on the network,” the analysis says.