An analysis of an MS office document exploiting a zero-day flash player vulnerability (CVE-2018-4878)

Important update!
Adobe Systems released a critical security update on 6.02.2017 to fix the vulnerability discussed in this post. We recommend you to apply the update immediately.

Summary of the vulnerability

CVE-2018-4878 is a use-after-free vulnerability present in Adobe Flash Player 28.0.0.137 and its earlier versions are being exploited in the wild. A successful exploitation of this vulnerability could allow attackers to take control of the affected system. Attackers use a MS Office document which is distributed via a crafted email attachment (content embedded malformed Flash ActiveX object) to exploit this vulnerability.

Quick Heal had earlier published an advisory on this vulnerability.

Quick Heal analysis

Quick Heal Security Labs came across a malicious Excel document that uses this zero-day vulnerability.

The following is an analysis of the exploit sample.

Components of the XLSX document

Figure 1

Figure 2 displays the content of the decoy document (in Korean).

Figure 2

As shown in figure 2, the content of the decoy document is related to ‘cosmetic products’ along with their price.

As shown in figure 1, the malicious document contains an embedded Flash Player File (SWF) which in turn contains another encrypted SWF file, highlighted in figure 3 below.

Figure 3

The following ActionScript snippet is used to decrypt the embedded SWF file.

Figure 4

Upon opening the document, EXCEL.EXE loads a vulnerable version of Flash Player ActiveX (Flash32_XX_X_X_XXX.ocx) which is used to execute the embedded SWF file.

Figure 5

Unfortunately, at the time of our analysis, the C&C server did not respond and the attack could not proceed further for us to analyze it.

Details of the HTTP request sent by the exploit.

Figure 6

Definitions of the highlighted sections in figure 6.

ID: Unique Identifier

FP_VS: Flash Player version installed on the victim system

OS_VS: installed on the Operating System version of victim system

Indicators of compromise

  1. 5F97C5EA28C0401ABC093069A50AA1F8
  2. www[.]dylboiler[.]co[.]kr

What to do?

  1. Update your Flash Player. Adobe has released the security update to fix the discussed vulnerability
  2. Update your antivirus
  3. Enable Protected Mode for MS Office applications
  4. Until you apply the fix, block Flash Player ActiveX for MS Office applications temporarily. Click here to know how to do this

Conclusion
The attacker has encrypted a Flash object to make the analysis complex and difficult. The exploit retrieves the decryption key from the C&C Server which is currently inactive.

We are actively looking for other variants of this exploit for a detailed analysis.

 

Subject Matter Experts

Nitten Dhamanay, Siraj Attar | Quick Heal Security Labs

Quick Heal Security Labs

Quick Heal Security Labs


No Comments, Be The First!

Your email address will not be published.

CAPTCHA Image