Adobe Systems released a critical security update on 6.02.2017 to fix the vulnerability discussed in this post. We recommend you to apply the update immediately.
Summary of the vulnerability
CVE-2018-4878 is a use-after-free vulnerability present in Adobe Flash Player 188.8.131.52 and its earlier versions are being exploited in the wild. A successful exploitation of this vulnerability could allow attackers to take control of the affected system. Attackers use a MS Office document which is distributed via a crafted email attachment (content embedded malformed Flash ActiveX object) to exploit this vulnerability.
Quick Heal had earlier published an advisory on this vulnerability.
Quick Heal analysis
Quick Heal Security Labs came across a malicious Excel document that uses this zero-day vulnerability.
The following is an analysis of the exploit sample.
Components of the XLSX document
Figure 2 displays the content of the decoy document (in Korean).
As shown in figure 2, the content of the decoy document is related to ‘cosmetic products’ along with their price.
As shown in figure 1, the malicious document contains an embedded Flash Player File (SWF) which in turn contains another encrypted SWF file, highlighted in figure 3 below.
The following ActionScript snippet is used to decrypt the embedded SWF file.
Upon opening the document, EXCEL.EXE loads a vulnerable version of Flash Player ActiveX (Flash32_XX_X_X_XXX.ocx) which is used to execute the embedded SWF file.
Unfortunately, at the time of our analysis, the C&C server did not respond and the attack could not proceed further for us to analyze it.
Details of the HTTP request sent by the exploit.
Definitions of the highlighted sections in figure 6.
ID: Unique Identifier
FP_VS: Flash Player version installed on the victim system
OS_VS: installed on the Operating System version of victim system
Indicators of compromise
What to do?
The attacker has encrypted a Flash object to make the analysis complex and difficult. The exploit retrieves the decryption key from the C&C Server which is currently inactive.
We are actively looking for other variants of this exploit for a detailed analysis.
Subject Matter Experts
Nitten Dhamanay, Siraj Attar | Quick Heal Security Labs