An Adobe Flash vulnerability fixed last month is being used in targeted attacks right now, with attackers attempting to persuade victims to open a malicious Word document that contains the payload for the Flash bug. The vulnerability has been patched for nearly a month, but history has shown that flaws that have been patched for several months or even years are still quite valuable for targeted attacks.
Researcher Mila Parkour at Contagio analyzed one of the recent targeted attacks and found that the malicious code attempts to download an MP4 file that looks benign. The subject of the email that contains the exploit is “Iran’s Oil and Nuclear Situation” and it includes an attached Word document. If the victim opens the Word file, the Flash code inside tries to download an MP4 file from a remote server. That file contains the actual exploit code that triggers the Flash bug.
“This is a message from a targeted attack and quite possibly you already received a few on your own – there seem to be a new campaign underway using this new CVE-2012-0754 exploit. The vulnerability exists in Flash and is exploited when it tries to parse a crafted MP4 file. Successful exploitation allows an attacker to execute an arbitrary code,” Parkour wrote in the analysis.
“In this case, the attachment comes as a Word document “Iran’s Oil and Nuclear Situation.doc” (and it can come as any document), which contains flash instructing it to download and parse a malformed MP4. The dropped binary is a rather common trojan characterized by its traffic.”
Once the victim’s machine is compromised, the malware installs a Trojan that is recognized by a good number of antimalware companies. The instructions for its communications with the remote host are hard-coded into the binary, Parkour found.
The CVE-2012-0754 Flash flaw that this attack is exploiting is a remote code execution bug that affects a number of platforms, inclyuding Windows, Linux, Solaris and Android.