Adobe Systems today issued an emergency security update for Flash Player following the discovery of a critical vulnerability that attackers were actively exploiting in a Nov. 29 phishing operation targeting a Russian state health care institution.
The zero-day arbitrary code execution exploit was specifically employed against Moscow-based "Polyclinic No. 2" of the Administrative Directorate of the President of the Russian Federation, according to separate reports from researchers at Gigamon and Qihoo 360 Core Security. The latter group is referring to the scam as Operation Poison Needles.
The phishing emails incorporated an attached Russian-language document called “22.docx” that was originally submitted to VirusTotal from a Ukranian IP address. The doc appears to be an employment application and questionnaire form for the state-run clinic; however, the file contains an RAR compressed package housing the Flash exploit. Upon activation, the exploit allows the attackers to execute code that gets them command line access to the infected system. From there, they would be able to introduce a malicious backdoor payload.
With moderate-to-high confidence, Gigamon has identified the final payload as a variant of Scout malware from Hacking Team, an Italian spyware company. Disguised as an NVIDIA control panel application, the malware comes in the form of a Windows executable and is capable of gathering system details, establishing persistence, and communicating with a C2 server via HTTP POST.
Further investigation from Gigamon also turned up an additional document, titled 33.docx, that leverages the same exploit, as well as an additional payload and malicious binary.
"All the technical details indicate that the APT group is determined to compromise the target at any price, but at the same time, it is also very cautious," concluded the report from 360 Core Security.
Attribution efforts have already yielded a couple of different theories. Gigamon's Applied Threat Research team noted that the attack bore similarities to past operations involving tools from the aforementioned Hacking Team. However, a number threat groups have been known to copy some of Hacking Team's tools and tactics, especially after the company's source code was leaked in 2015.
On the other hand, 360 Core Security noted that Operation Poison Needles took place just four days after a high-profile international incident along the Kerch Strait, during which Russian Federal Security Service border service coast guard boats fired upon and later captured three Ukrainian Navy ships. In their blog post, 360 Core Security researchers suggested there could be a politically motivated connection between the two incidents.
Designated CVE-2018-15982, the exploited bug is a use-after-free flaw found in versions 18.104.22.168 and earlier of Flash Player Desktop Runtime (Windows, macOS and Linux), Flash Player for Google Chrome (Windows, macOS, Linux and Chrome OS) and Flash Player for Microsoft Edge and Internet Explorer 11 (Windows 10 and 8.1). It's also found in versions 22.214.171.124 and earlier of the Adobe Flash Player Installer.
Gigamon and 360 Core Security share credit for the critical bug’s discovery alongside researchers from 360 Threat Intelligence of 360 Enterprise Security Group, as well as a researcher who goes by the alias b2ahex.
In the same security update, Adobe also patched CVE-2018-15983, a privilege escalation vulnerability that was deemed important, but not critical.