Incident Response, TDR, Vulnerability Management

APT group exploits Adobe Flash Player zero-day in phishing operation


Earlier this month FireEye's threat analyst team in Singapore, FireEye as a Service, observed a China-based threat group – dubbed APT3, or UPS – exploiting a zero-day vulnerability in Adobe Flash Player as part of a phishing operation targeting various industries in the U.S. and around the globe.

On Tuesday, Adobe addressed the high priority vulnerability – CVE-2015-3113, which can be exploited by an attacker to potentially take control of the affected system – by issuing a Flash Player patch for Windows, Macintosh and Linux.

APT3 had been exploiting the vulnerability in a large-scale phishing campaign targeting organizations in the aerospace and defense, construction and engineering, high-tech, telecommunications, and transportation industries, a FireEye post said.

The organizations are mostly in the U.S. and UK, but the targeting was believed to be global, Mike Oppenheimer, senior threat intelligence analyst with FireEye, told in a Tuesday email correspondence.

“APT3 is one of the more advanced groups that FireEye tracks and after successfully exploiting a target host, this group will quickly dump credentials, move laterally to additional hosts, and install custom backdoors, which in this operation FireEye observed the use of the SHOTPUT backdoor,” Oppenheimer said.

The operation involved the group sending out very generic emails that told recipients to click a link in order to get a good deal on a refurbished iMac, the post said. Clicking on the link redirected users to a compromised server hosting JavaScript profiling scripts.

Once profiled, a malicious Adobe Flash Player SWF file and FLV file was downloaded, ultimately leading to the installation of the custom backdoor known as SHOTPUT, which was detected by FireEye as Backdoor.APT.CookieCutter.

“The attack exploits an unpatched vulnerability in the way Adobe Flash parses Flash Video (FLV) files,” the post said. “The exploit uses common vector corruption techniques to bypass Address Space Layout Randomization (ASLR), and uses Return-Oriented Programming (ROP) to bypass Data Execution Prevention (DEP).”

The post continues, “A neat trick to their ROP technique makes it simpler to exploit and will evade some ROP detection techniques. Shellcode is stored in the packed Flash exploit file alongside a key used for its decryption. The payload is XOR encoded and hidden inside an image.”

FireEye notes that APT3's command-and-control infrastructure is difficult to track since there is little overlap across campaigns.

“FireEye assesses that APT3 conducts network intrusions against a broad range of victim organizations and steals intellectual properties that are in close alignment with People's Republic of China's (PRC) central planning objectives,” Oppenheimer said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.