On October 17, 2017 a new CVE was created for a Zero-Day flash exploit discovered by Kaspersky. The exploit is linked to a threat actor group called BlackOasis. This threat actor group is known for the assisted development and deployment of the FinSpy malware, often sold to nation states and other law enforcement agencies for use in lawful surveillance operations. This attack, while critical in nature due to Flash being present on most systems, looks to be minimal in spread and highly targeted.
- The attack begins with the delivery of a Microsoft Office document, in most instances via e-mail.
- Embedded within the document is an ActiveX object which contains the Flash exploit.
- The Flash exploit itself contains an ActionScript code block that is responsible for extracting the exploit using a custom packer seen on other FinSpy malware in the past. It exploits a memory corruption vulnerability against a Flash function used to contain buffer control parameters, and when successfully exploited, gains arbitrary read/write operations within memory. Allowing the execution of second stage shellcode.
- It then downloads the FinSpy payload and, upon execution, it displays a document designed to lure the victim to click on it.
Today, October 18, Adobe released a patch. We recommend that you confirm any systems running Flash have the latest, patched version installed. Information on the patch can be found here: https://helpx.adobe.com/security/products/flash-player/apsb17-32.html.blk