December 11, 2018

A new 0day vulnerability has been found in Adobe Flash and utilized in a malicious campaign by embedding it within an Office document (via ActiveX).

The vulnerability is quite extensive and exploiting it shows great skill and ability.

The attack followed a simple infection vector: RAR file with Office document -> Office document with embedded Flash -> downloads final RAT malware


Backup.exe is a dropper of the final payload, which is a very sophisticated backdoor malware.

This RAT holds several functions which can be remotely triggered:

Thread# Description Functions
0 Anti-analysis Check if the name of the program itself conforms to the HASH naming convention; if yes, set self-destroying flag.
1 Resume Monitor user activity and send a 0x401 message (create a thread for registering scheduled task) if the user types on the keyboard or moves the mouse
2 Sleep Enter the sleep mode randomly, taking the current system time for comparison, randomly send out message WM_COPYDATA (the main Message loop will sleep for some time after receiving this instruction).
3 Self-destroying Timer Compare the time string in the program with the system time. If the current system time is later, set the flag bit and send message 0x464 to the main window (execute self-destruction); if the self-destroying flag is set, send the 0x464 directly.
4 Communication Collect machine information and send it to C&C; execute shellcode, load PE in memory and download file execution code.
5 Register for auto-start Check whether the current program path is the same as the previously saved path, and add a startup item to the registry.
6 Register for scheduled tasks Check if there is AV software in the device, perform self-destruction if detected; copy itself to another directory and add a scheduled task disguised to be a NVIDIA control panel to start.
7 Self-destroying Stop the scheduled task of disguising as a NVIDIA control panel, clean up related files, and perform self-destruction.


However, Votiro clients are always protected as we sanitize ActiveX embedded within Office documents by default.

We invite all to try our Disarmer for free – evolve from detection to prevention with ease!

Further technical information and image credits:

We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it. Privacy policy