Exploits for a newly reported zero-day vulnerability in Adobe’s Flash Player drop a password-grabbing Trojan that targets the email and social media accounts of users and organizations in China, researchers at Kaspersky Lab said today.
The attacks appear to be an isolated campaign and there is no connection between these exploits and a new advanced espionage campaign called The Mask that Kaspersky researchers are expected to unveil next week at the company’s Security Analyst Summit.
Adobe issued an emergency patch for the zero-day yesterday; CVE-2014-0497 allows an exploit to remotely inject code and control the underlying system hosting the vulnerable software. Flash Player 18.104.22.168 and earlier on Windows and Mac systems are affected as is version 22.214.171.1245 on Linux.
Kaspersky Lab researchers Alexander Polyakov and Anton Ivanov reported the bug to Adobe after finding a set of new .swf exploits, said Vyacheslav Zakorzhevsky, head of the vulnerability research group at Kaspersky Lab.
Researchers discovered 11 exploits—for Flash versions 11.3.372.94, 11.3.375.10, 11.3.376.12, 11.3.377.15, 11.3.378.5, 11.3.379.14, 11.6.602.167, 11.6.602.180, 11.7.700.169, 11.7.700.202, 11.7.700.224—all of them unpacked .swf files with identical actionscript code that performs a version check on the victim’s operating system. The exploits work against Flash running on Windows XP, Vista, Windows Server 2003 and 2003 R2, Windows 7 and 7 64-bit, Windows Server 2008 R2, Windows 8 and Windows 8 64-bit, and Mac OS X 10.6.8.
Once the OS check is done, the malware assembles a return-oriented programming (ROP) chain depending on the version of Windows and Flash that is installed. Shellcode specific to the OS version is then generated and the exploit executes, Zakorzhevsky said.
It appears the attacks start with phishing emails in which the victims are sent infected .docx documents that contain an embedded Flash video, Zakorzhevsky said.
“When a document is opened, an embedded flash exploit drops and starts an easy downloader to the disk, which downloads a fully featured backdoor and а Trojan,” Zakorzhevsky said. “Afterwards, the program steals passwords from popular email clients and grabs logins and passwords from Web forms of popular social media and email services.”
Kaspersky could not confirm whether these were targeted attacks, but it is likely. The malicious .docx and Flash files have titles written in Korean and were found on three computers, one in an email attachment opened on a Mac OS X machine, and two in the browser cache of a Windows 7 machine, likely also after the victim opened an email. The browser used on the Windows machine was Chinese, SogouExplorer, and the Mac mailbox was hosted on 163[.]com, a Chinese web-based email provider.
Researchers were able to find only one exploit containing executable files, a downloader, Trojan-Downloader.Win32.Agent.hdzh, encrypted with Microsoft CryptoAPI and hosted on a free hosting service bugs3[.]com. The executables included password stealers for email clients and social media sites including Google, Yahoo, Twitter, Facebook and many others. The backdoor, Backdoor.Win32.Agent.dfdq, connects to one of three command and control servers: sales[.]eu5[.]org; www[.]mobilitysvc[.]com; and javaupdate[.]flashserve[.]net.
Zakorzhevsky said the campaign is ongoing and that researchers have not been able to view documents being sent to the command and control server. Zakorzhevsky said this is likely an isolated campaign and Kaspersky Lab researchers have not been able to link of the malicious Word or Flash files to an existing botnet.
There is also no link to the Mask campaign, researchers said. A post on the Securelist blog this week said The Mask was above Duqu in terms of sophistication and is one of the most advanced threats in the wild.
“The Mask is leveraging high-end exploits, an extremely sophisticated malware which includes a bootkit and rootkit, Mac and Linux versions and a customized attack against Kaspersky products,” the blog post said.
Adobe, meanwhile, urges its customers to update Flash immediately because of the active exploits. A complete rundown of updates in the Adobe advisory:
- Users of Adobe Flash Player 126.96.36.199 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 188.8.131.52.
- Users of Adobe Flash Player 184.108.40.2065 and earlier versions for Linux should update to Adobe Flash Player 220.127.116.116.
- Adobe Flash Player 18.104.22.168 installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 22.214.171.124 for Windows, Macintosh and Linux.
- Adobe Flash Player 126.96.36.199 installed with Internet Explorer 10 will automatically be updated to the latest Internet Explorer 10 version, which will include Adobe Flash Player 188.8.131.52 for Windows 8.0.
- Adobe Flash Player 184.108.40.206 installed with Internet Explorer 11 will automatically be updated to the latest Internet Explorer 11 version, which will include Adobe Flash Player 220.127.116.11 for Windows 8.1.