Adobe has patched the Flash Player zero-day vulnerability exploited by APT group. This is a relatively new advanced persistent threat, dubbed “ScarCruft”, in attacks aimed at high-profile targets
Alongside the release of Flash player 18.104.22.168, Adobe addressed a total of 36 flaws which can lead to arbitrary code execution and information disclosure. The type confusion, use-after-free, heap buffer overflow, directory search path, and same-origin policy (SOP) bypass vulnerabilities were reported to the vendor by experts from Google, Tencent, Cisco, Microsoft, Qihoo 360, Pangu LAB, Kaspersky Lab and FireEye.
Anton Ivanov and Costin Raiu from Kaspersky Lab are the experts who reported the most important security hole. The issue, that was tracked as CVE-2016-4171, has been exploited in targeted attacks by the ScarCruft threat group in a campaign dubbed by experts “Operation Daybreak.”
ScarCruft has been observed targeting entities in Nepal, Romania, Russia, South Korea, Kuwait, China and India. It is believed that the actor have used at least one other Flash Player (CVE-2016-4117) and one Microsoft Windows zero-day (CVE-2016-0147) in its operations – both of which have been patched. The group leveraged CVE-2016-4117 in a campaign called Operation Erebus, which also involved watering holes.
Operation Daybreak is aimed at high-profile targets and hackers used spear phishing emails to lure victims to a compromised website hosting the Flash Player exploit. According to Kaspersky Lab, it has identified over two dozen victims, including a law enforcement agency in Asia, one of the world’s largest trading companies, a US-based mobile advertising firm, a restaurant in Dubai, and the International Association of Athletics Federations.
The Flash Player vulnerability, which is located in the code that parses ExecPolicy metadata information, allows cyber criminals to achieve full remote code execution. In Operation Daybreak, the exploitation chain leverages three Flash objects, with a legitimate PDF document served at the end to avoid raising suspicion.
Security researchers found out that the hackers have used a clever method to bypass modern anti-malware products that might be installed on victims’ systems. The exploit decrypts and executes a shellcode which downloads and runs a DLL file. This component is loaded directly into the exploited application and the payload can be executed using several methods, including one that leverages a bug in Dynamic Data Exchange (DDE), a Windows protocol used to share data between applications.
“It is not a secret that anti-malware systems trigger on special system functions that are called in the context of potential vulnerable applications to make a deeper analysis of API calls such as CreateProcess, WinExec or ShellExecute,” Ivanov and Raiu stated.
“For instance, such defense technologies trigger if a potentially vulnerable application such as Adobe Flash starts other untrusted applications, scripts interpreters or even the command console,” the experts added. “To make execution of payload invisible for these defense systems, the threat actors used the Windows DDE interface in a very clever way.”
Kaspersky Lab informed Microsoft about how this undocumented behavior in Windows has been abused by malicious actors.
The final payload used in the attack, a CAB file, contains four malicious DLLs signed with an invalid certificate with serial numbers copied from legitimate certificates from the Chinese company Tencent.
The experts claim that the malware delivered in Operation Daybreak is “extremely rare” and likely reserved only for high profile targets. This and other pieces of malware used by ScarCruft are detected as HEUR:Trojan.Win32.ScarCruft.gen.