ANOTHER FLASH VULNERABILITY
December 11, 2018
A new 0day vulnerability has been found in Adobe Flash and utilized in a malicious campaign by embedding it within an Office document (via ActiveX).
The vulnerability is quite extensive and exploiting it shows great skill and ability.
The attack followed a simple infection vector: RAR file with Office document -> Office document with embedded Flash -> downloads final RAT malware
Backup.exe is a dropper of the final payload, which is a very sophisticated backdoor malware.
This RAT holds several functions which can be remotely triggered:
|0||Anti-analysis||Check if the name of the program itself conforms to the HASH naming convention; if yes, set self-destroying flag.|
|1||Resume||Monitor user activity and send a 0x401 message (create a thread for registering scheduled task) if the user types on the keyboard or moves the mouse|
|2||Sleep||Enter the sleep mode randomly, taking the current system time for comparison, randomly send out message WM_COPYDATA (the main Message loop will sleep for some time after receiving this instruction).|
|3||Self-destroying Timer||Compare the time string in the program with the system time. If the current system time is later, set the flag bit and send message 0x464 to the main window (execute self-destruction); if the self-destroying flag is set, send the 0x464 directly.|
|4||Communication||Collect machine information and send it to C&C; execute shellcode, load PE in memory and download file execution code.|
|5||Register for auto-start||Check whether the current program path is the same as the previously saved path, and add a startup item to the registry.|
|6||Register for scheduled tasks||Check if there is AV software in the device, perform self-destruction if detected; copy itself to another directory and add a scheduled task disguised to be a NVIDIA control panel to start.|
|7||Self-destroying||Stop the scheduled task of disguising as a NVIDIA control panel, clean up related files, and perform self-destruction.|
However, Votiro clients are always protected as we sanitize ActiveX embedded within Office documents by default.
We invite all to try our Disarmer for free – evolve from detection to prevention with ease!
Further technical information and image credits: http://blogs.360.cn/post/PoisonNeedles_CVE-2018-15982_EN