Flash fixes a dangerous bug already used in attacks

Random

Adobe urgently updated Flash Player by closing the zero-day vulnerability that is already lit up in the targeted attack. According to the bulletin, the breach of CVE-2018-15982 occurred due to an error in the use of freed memory and threatens execution of arbitrary code in the context of the current user.
Vulnerabilities are prone to Flash Player releases 31.0.0.153 and below. It is recommended that users update the product on all platforms as soon as possible before assembling the 32.0.0.101.
At the same, Adobe has eliminated the flaw in the installer Flash Player, which she appreciated as significant. This vulnerability (CVE-2018-15983) allows you to replace the DLL that is loaded when you start the player and thus increase the privileges of the malicious option. Eliminate hijacking DLL will help install the release 31.0.0.122 installer (on Windows), which can be downloaded from the Download Center along with patched Flash Player or get in the usual way through the built-in update mechanism.
Adobe’s zero day exploit notification was received on November 29 — several researchers, including the Chinese company Qihoo 360 and California Gigamon, filed a report. The analysis showed that the malicious RAR-Archive used in targeted attacks contains the document-bait in the format. docx and the file scan042. jpg with the final payload.
Copies of the camouflage document were also found on VirusTotal — files 22. docx and 33. docx were downloaded for verification from the same Ukrainian IP address. Their contents are the same and include the Russian-language questionnaire of the employee of the Moscow departmental polyclinic with the hidden object Flash, aimed at exploit CVE-2018-15982.
Simulation of the attack in the laboratory showed that the opening of the document is enough to run the exploit and the target stench. However, Microsoft Word protection warns the user that embedded content may be malicious. If the latter agrees to continue, the command will execute to extract the scan042. jpg file and run the backup. exe contained in it — a customization trojan with backdoor functions.
The malicious code is signed by a stolen certificate issued by a British transport company (it has already been withdrawn). The stench first checks for the presence of anti-virus in the system-from F-Secure, Panda, ESET, Avira, Bitdefender, Symantec (Norton) or Kaspersky Lab. By detecting the appropriate files or processes, it uses the self-destruct functionality.
Otherwise, the Trojan copies itself to the% LocalAppData% folder, issuing a copy for the NVIDIA Control Panel, and adds a key to the registry to run its code every time the user logs on.
The first time you connect to the malicious control center, sends encrypted by Base64 information about the infected system through an HTTP POST request. Judging by the IP address, the malicious team server is located in Romania.
Source: https://threatpost.ru/adobe-patches-flash-zero-day-exploited-itw/29586/

Leave a Reply

Your email address will not be published. Required fields are marked *