On February 22, 2018, Morphisec Labs noticed several malicious note files exploiting the latest Flash vulnerability CVE-2018-4878 within the wild in a large malspam campaign. Adobe released a patch early February, however cyber criminals recognize that it is going to take some agencies weeks, months or even years to rollout the patch.
all of the files confirmed a really low detection ratio and correctly downloaded the subsequent stage artifacts from a newly registered domain. inspecting the assault, it grew to become clear, that it took the attackers best just a few and easy alterations to the usual targeted attack to outplay static defenses yet again.
note to Morphisec valued clientele: Morphisec prevents all variations of this assault, ranging from the first edition one and half years ago to this newest one leveraging CVE-2018-4878.
The documents were downloaded from the safe-storge[.]biz domain and went almost utterly undetected with an 1/sixty seven detection ratio.
whereas many protection defenses missed their goal, the attack didn’t. within the emails, the victims obtained brief links to the malicious site generated with the aid of Google URL Shortener. This gives us the possibility to look the analytics for the brief hyperlinks, such as click on cost and mail host used. We see e.g. that victims opened it via Outlook, Gmail and the Italian webhost Aruba.it. here is of path simplest a partial photo; we detected five diverse brief hyperlinks, however there are likely more.
The analytics for the brief links suggests the same sample as legitimate email campaigns. Clickthroughs spike within the first couple of hours after emails are despatched. Signature-based mostly defenses, like anti-viruses, cannot cope with this pace.
click on pictures to magnify
After downloading and opening the observe doc, the attack exploits the Flash vulnerability 2018-4878 and opens a cmd.exe which is later remotely injected with a malicious shellcode that connects back to the malicious area.
additionally the extracted SWF Flash file had very low detection score on VirusTotal:
The disassembled Flash file had a extremely an identical signature to existing PoCs with special similarity to the stripped 32 bit PoC. distinct to the long-established assault, the existing malspam crusade would not have a sixty four bit implementation.
Conclusion
As expected and anticipated, the adversaries eagerly adopted the Flash exploit which is with no trouble reproducible. With small diversifications to the attack they correctly launched a massive malspam crusade and bypassed many of the latest static scanning solutions as soon as once again.
Morphisec’s Endpoint risk Prevention solution is agnostic to the morphing and obfuscation of the take advantage of, and averted the make the most earlier than any harm might take place.
Artifacts:
|
Artifact |
Sha2 |
|
2018_017581961.docx |
6374349443708c96ad41b3f9b891b33f7dec65fdf13e6b424d4d0ab7969c5e71 |
|
activeX.bin |
eaf0f57cbcbda0dbd2c60c5719731ddeab76b6a10367d2679854202fdca27388 |
|
activeX.bin |
176ad6129ece312f128a3195bf5afc130801f2e849f89bc97610c1ce8d730772 |
|
SWF |
6f2c41e665aab873d213583697d70ee79ad59a2b649164c15bd63518b09c429d |
|
<unknown identify>.docx |
862c6ef1d24d2cba9878b5e919683629c3516d9121f5cf703ff1ca42e2a06a77 |
domain: safe-storage[.]biz:443
brief hyperlinks:
goo[.]gl/okCYMJ
goo[.]gl/4rHQkh
goo[.]gl/GA8sBY
goo[.]gl/H1EHRG
goo[.]gl/JnYb7s
Facebook
Twitter
Instagram
Google+
LinkedIn
RSS