Adobe Systems today issued patches for four vulnerabilities in Flash Player, including a zero-day flaw that attackers have been exploiting in the wild in targeted attacks against Windows users in the Middle East, possibly in Qatar.
The actively exploited issue, CVE-2018-5002, is an arbitrary code execution bug caused by a stack-based buffer overflow in Flash Player versions 220.127.116.11 and earlier. It is the second Flash Player zero-bug discovered this year. Affected versions are Flash Player Desktop Runtime (Windows, Macintosh and Linux platforms) Flash Player for Google Chrome (Windows, Macintosh, Linux and Chrome OS platforms), and Adobe Flash Player for Microsoft Edge and Internet Explorer 11 (Windows 10 and 8.1 platforms).
According to multiple researcher accounts, the attackers have been delivering the exploit in an apparent phishing campaign featuring maliciously crafted Shockwave Flash files (SFWs), used in conjunction with Microsoft Office documents. But in an unusual twist, these SFW objects are not embedded within the documents, as is the typical method of attack. Instead, the documents merely contain an embedded link to a remote server, from which the SFW files are downloaded via Microsoft's ActiveX software framework.
The SWF file then contacts the server again to download another encrypted SFW file, as well as its decryption keys. This is the zero-day exploit -- and once it compromises the victimized machine, it downloads and executes additional shell code that researchers believe behaves like backdoor malware, granting the attackers all sorts of new functionality.
"Adobe is aware of a report that an exploit for CVE-2018-5002 exists in the wild, and is being used in limited, targeted attacks against Windows users," states an Adobe security bulletin, which recommends users update to version 18.104.22.168. "These attacks leverage Office documents with embedded malicious Flash content distributed via email." Office will begin blocking Flash in Office 365 in 2019.
The bug was identified and reported independently by researchers at four different security organizations: ICEBRG's Security Research Team, Tencent PC Manager, the 360 Threat Intelligence Center at 360 Enterprise Security Group, and Qihoo 360 Core Security.
Researchers note that the weaponized document, written in Arabic, is titled “basic_salary," and is intended to lure victims by falsely suggesting it contains information on employee pay. A blog post from ICEBRG reports that one such document was uploaded from a Qatari IP address to VirusTotal on May 31 of this year.
"Most of the job titles included in the document are diplomatic in nature, specifically referring to salaries with positions referencing secretaries, ambassadors, diplomats, etc.," the ICEBRG report states.
Researchers believe the phishing scheme may be specifically targeting users in Qatar because the document downloads malicious files from the domain “dohabayt[.]com.” Doha is the capital of Qatar and bayt.com may be an effort to appear legit by impersonating the real Middle Eastern job search site Bayt.com.
"Such focused targeting would not be surprising given the hotbed of regional instability due to an ongoing blockade of Qatar by a number of other Middle Eastern countries and recent allegations of Qatar using offensive capabilities and contractors to target U.S. political organizations," ICEBRG concludes.
Furthermore, ICEBRG speculates that the attackers chose to have Microsoft Office documents remotely download SFW files instead of embedding them order to avoid analysis and improve its ability to target victims.
Embedding Flash files "leaves, at a minimum, a small Flash loader that defenders can flag for detection and analysts can fingerprint for tracking," the post explains. But using this more cunning method, only "XML wrappers selecting the Flash Player ActiveX control and an OLE Object supplying parameters are present."
Indeed, the initial decoy document in this case doesn't contain any suspicious code. "Statically, the best one can do is detect the presence of remotely included Flash content," ICEBRG notes. "Dynamically, the sandbox/simulator must interact with the attacker's server and receive malicious content, necessitating that the analysis system has a live connection to the Internet." And if attackers abandon their C&C infrastructure, then researchers forensics have even less to study.
Additionally, this technique allows attackers to selectively serve exploits to only their intended victims, using whitelisting and blacklisting to specify which IP addresses their malicious servers should interact with or avoid, based on key user characteristics
In its own blog post, the Qihoo 360 team describes the actual exploit itself in highly technical details, as follows:
"Flash will use the interpreter to handle Static-init methods. The interpreter handles the try catch statement does not correctly handle the exception, and this will make li8 (123456) instruction caught by the catch block when it triggers the exception. Because Flash assumes that it is impossible to execute to the catch block when processing the try catch statement, it does not check the bytecode in the catch block. The attacker uses the getlocal, setlocal instruction in the catch block to read and write arbitrary addresses on the stack. In this wild used 0 day, the attacker switches the vulnerability to a type obfuscation problem by exchanging two object pointers on the stack and finally completes the attack."
The attack also uses a heavy amount of RSA and AES encryption in both its initial and secondary stages.
"Appropriate use of asymmetric cryptography, like RSA, evades traditional defenses such as replay-based network security devices and prevents a post-mortem network packet capture analysis," explains ICEBRG. "To decrypt the data payload, the client decrypts the encrypted AES key using its randomly generated private key, then decrypts the data payload with the decrypted AES key. The extra layer of public key cryptography, with a randomly generated key, is crucial here. By using it, one must either recover the randomly generated key or crack the RSA encryption to analyze subsequent layers of the attack. If implemented correctly, this renders packet capture in forensic analysis and automated security products ineffective. Furthermore, the decrypted data payloads will only reside in memory, challenging traditional disk forensics and non-volatile artifact analysis."
The encryption, combined with the use of remotely downloaded exploit, is especially effective, ICEBRG continues, because "once exploited, the only artifact residing on the victim's system would be the initial lure document that only contains a URL. In that scenario, responders may look to network packet captures to recreate the attack. However, without the victim's randomly created private key, it would be impossible for responders to decrypt the attacker's code and recover subsequent protected stages like the exploit or payload. In this scenario, responders' only saving grace would be the use of a weak RSA modulus."
Due to the attack's advanced nature, Qihoo 360 suspects the exploit is the work of an APT group. "Through analysis, we can see that the attack used a zero-day vulnerability regardless of the cost," the company's blog post concludes. "The attacker developed sophisticated plans in the cloud and spent at least three months preparing for the attack. The detailed phishing attack content was also tailored to the attack target."
Last February, Adobe issued a different emergency patch for Flash after the discovery of CVE-2018-4878, a critical use-after-free flaw that researchers say was exploited by suspected North Korean actors Group123.
Adobe today also patched three other bugs, one of which was also designated as critical -- an arbitrary code execution vulnerability caused by type confusion (CVE-2018-4945, discovered by Tencent KeenLab, and Tencent PC Manager working withTrend Micro's Zero Day Initiative). The other two are two information disclosure flaws caused, respectively, by an integer overflow and an out-of-bounds read (CVE-2018-2000 and CVE-2018-5001, discovered by Trend Micro).