Adobe Systems on Monday issued an emergency patch for a zero-day Flash Player vulnerability, after an advanced persistent threat group was discovered actively exploiting the bug in the wild as a means to infect machines with FinSpy surveillance malware.
The fix came just six days after Adobe's last Patch Tuesday release cycle, at which time the company had zero updates for its product line – a rare and possibly unprecedented occurrence for the software maker. In an online security bulletin, Adobe describes the bug – officially designated CVE-2017-11292 – as a "critical type confusion vulnerability that could lead to code execution."
The bulletin also acknowledges the existence of an active exploit that is "being used in limited targeted attacks against users running Windows." Even so, the patch applies to all major operating systems – Windows, Macintosh, Linux and Chrome – and includes fixes for the Desktop Runtime, Google Chrome, and Microsoft Edge and Internet Explorer 11 versions of Flash Player.
Discovered on Oct. 10 by Anton Ivanov, lead malware analyst at Kaspersky Lab, the exploit was initially found contained within an ActiveX object that was in turn embedded in a malicious Microsoft Office document, which was likely delivered via a phishing email. According to a Kaspersky blog post, the exploit is the work of BlackOasis, an APT group known to gather intelligence on activists, United Nations figures, regional news correspondents, and think tanks – particularly those affiliated with the Middle East. The group also appears fixated on the African nation of Angola.
"The exploit is a memory corruption vulnerability that exists in the 'com.adobe.tvsdk.mediacore.BufferControlParameters' class," the blog post explains. "If the exploit is successful, it will gain arbitrary read/write operations within memory, thus allowing it to execute a second stage shellcode."
The exploit's final payload is mo.exe, an new and improved version of FinSpy, which is typically sold to governments as a surveillance tool. "This newer variant has made it especially difficult for researchers to analyze the malware due to many added anti-analysis techniques," Kaspersky states.
Kaspersky also found that mo.exe shares the same command-and-control servers with another FinSpy payload that was delivered via a different zero-day exploit attack reported by FireEye in September 2017. This previous exploit was delivered via Microsoft Office RTF documents that took advantage of CVE-2016-8759, a a SOAP-based parser code injection vulnerability within the Microsoft .NET framework.
Interestingly, on Oct. 13, a Malwarebytes blog post reported on an email-based malware campaign that leveraged Microsoft Office Word and RTF documents and a CVE-2016-8759 exploit in order to infect recipients with the Orcus Rat Remote Administrative Tool.
Kaspersky says that it first discovered BlackOasis in 2016, but the APT has leveraged at least five zero-day exploits in attacks since as far back as June 2015. Kaspersky has been keeping tabs on the group since its discovery, tying the APT to a "couple dozen" observed attacks.