As if the recent breach and subsequent public data dump involving the Italian company Hacking Team wasn’t bad enough, it all gets just a little bit worse. Emerging from the bowels of Hacking Team data dump was a Flash 0-day exploit (CVE-2015-5119) that was just patched today by Adobe as covered in APSB15-16. The exploit has since been added into the Angler Exploit Kit and integrated into Metasploit. However, not to be out done, APT attackers have also started leveraging the exploit in targeted spear phishing attacks as well. Before we start dishing the details, there is going to be one main takeaway from this blog post: If you haven’t already, update/patch your Adobe Flashnow.
Spear Phishing
This morning, a well known APT threat group, often referred to as Wekby, kicked off a rather ironic spear phishing campaign. The attackers launched spoofed e-mail messages purporting to be from Adobe. The e-mail messages references an Adobe Flash update and encourage the recipients to click a link to download and install the update. Take a look at an example of the spear phish e-mail message below.
The visible and spoofed source e-mail address for “Andre Vangils” is [email protected]. This is not a particularly advanced spear phish message. However, the visible link http://get.adobe.com, as you have likely guessed, does not actually go to Adobe’s website. Instead it leads to index.htm on an IP address belonging to a hosting provider named PEG TECH INC. This page is far less helpful than one would hope. Instead of providing a legitimate Adobe Flash update, the page loads a malicious SWF file instead. The following contents are found from the HTML page from the link:
<body> <div style=”position:fixed; top:50%; left:50%; width:600; height:400; margin-left:-300; margin-top:-200;”> <object classid=”clsid:D27CDB6E-AE6D-11cf-96B8-444553540000″ id=”swf” width=”600″ height=”400″> <param name=”movie” value=”movie.swf” /> <param name=”allowScriptAccess” value=”always” /> <embed src=”movie.swf” width=”600″ height=”400″ allowScriptAccess=”always” type=”application/x-shockwave-flash” /> </object> </div> </body> </html>
If you guess this was a Flash exploit, then you are 100% correct.
Exploits and Malware
The aforementioned exploit works on Adobe Flash versions all the way up to 18.0.0.194. You need to have updated your Flash since this morning to be safe from its grips. The attackers appear to have modified one of the exploits that came from the Hacking Team dump. Unlike most of the other versions we have observed up until this point, this SWF file is LZMA compressed and has the ZWS file header. There are plenty of great tools out there that can be used to look at Flash files. One of our favorites is SWF Investigator from Adobe. Poking around a bit we can see a few interesting labels that appear to reference Hacking Team, such as the one shown below:
Read Full Article Here







