Espionage Group Leverages Flash Zero Day

Monday, June 29, 2015 @ 06:06 PM gHale

A Flash Player Zero Day vulnerability patched by Adobe is currently undergoing exploitation from an advanced threat group from China, researchers said.

Security researchers at FireEye named the group APT3 and said it targets organizations from industry sectors like aerospace and defense, construction and engineering, high tech, telecommunications and transportation.

Adobe Patches Flash Zero Day
Adobe Fixes Flash Player Vulnerabilities
Flash Vulnerability Fixed, then Exploited
Adobe Updates Flash Player

Victims end up lured with a generic phishing email whose text is very similar to spam messages. In an example, researchers were able to show the bait used was an offer for a refurbished iMac system certified by Apple, with a discount between $200 and $450. The email further enticed the recipient with availability of one-year extendable warranty for the product.

Clicking on the provided link redirected to a server with scripts that checked if the visitor’s computer was worth compromising. If it presented no interest, the user would receive non-harmful content, If the attacker remained interested, the victim would get malicious SWF and FLV files. The vulnerability exploited in the attack is a heap buffer overflow, now identified as CVE-2015-3113.

The attack code relies on common vector corruption techniques to get past the Address Space Layout Randomization (ASLR) protection from buffer overflow events. It also relies on a new ROP (Return-Oriented Programming) technique to bypass Data Execution Prevention (DEP) and other protection mechanisms, such as ROP detection, researchers said in a blog post.

The latest campaign from APT3 called Operation Clandestine Wolf and researchers said the group is also responsible for other previously identified campaigns (Operation Clandestine Fox) and produces browser-based Zero Day exploits for Internet Explorer, Firefox and Flash Player.

“After successfully exploiting a target host, this group will quickly dump credentials, move laterally to additional hosts, and install custom backdoors,” FireEye said.

Although FireEye is aware of the group’s activity, tracking down its command and control infrastructure is not an easy task because the attacker does not use the same assets in multiple campaigns.