Massive Malspam Campaign Targets Unpatched Systems

Morphisec said that it has detected several malicious word documents – part of a “massive” malspam campaign – that takes advantage of a critical Adobe Flash Player vulnerability discovered earlier this month.

Cybercriminals are leveraging a recently patched critical Adobe Flash Player vulnerability in a massive spam campaign targeting unpatched computers.

According to cybersecurity firm Morphisec, cybercriminals are blasting spam messages that urge recipients to click a link to download a Word document. And when a victim opens the document and enables macros, malware attempts to exploit an Adobe Flash Player bug (CVE-2018-4878) patched by Adobe earlier this month. Victims who fall for the ploy could ultimately hand over control of their systems to an attacker, according to researchers.

Adobe classified the bug as critical, describing it as a use-after-free vulnerability impacting its Adobe Flash Player running on Windows 10, macOS, Linux and Chrome OS  systems. The flaw was originally found by the South Korean Computer Emergency Response Team on Jan. 31 and identified as a Flash SWF file embedded in Microsoft Word and Excel documents.

Michael Gorelik, chief technology officer and vice president of Research and Development at Morphisec, said that as part of the recent spam campaign victims were sent emails with short links to the malicious Word documents for download. He added, the malicious attachments were able to, for the most part, circumvent AV protection – showing a low detection ratio on VirusTotal.

“After downloading and opening the Word document, the attack exploits the Flash vulnerability 2018-4878 and opens a (command prompt) which is later remotely injected with a malicious shellcode that connects back to a malicious (C2) domain,” Gorelik wrote in a technical write-up outlining the attacks. “The next step, the shellcode downloads a ‘m.db’ dll from the same domain, which is executed using regsvr32 process in order to be able to bypass whitelisting solutions.”

A regsvr32 (Microsoft Register Server) process is a command-line utility that is part of the Windows OS and is used for registering and unregistering DLLs and ActiveX controls within the context of the Windows Registry.

Researchers said the analytics for the short links used in the email spam campaign shows the same pattern as a legitimate email campaigns, making them hard to detect. “Clickthroughs spike in the first couple of hours after emails are sent. Signature-based defenses, like antiviruses, cannot cope with this pace,” Gorelik wrote.

The campaign tracked by Morphisec was “just a few hours long” and targeted inboxes in the U.S. and Europe. “The documents were downloaded from the safe-storge[.]biz domain and went almost entirely undetected with an 1/67 detection ratio,” according to Gorelik.

An Adobe spokesperson when asked to comment on the spam campaign said,”the majority of exploits are targeting software installations that are not up-to-date on the latest security updates. We always strongly recommend that users install security updates as soon as they are available.”

Looking forward, Gorelik said that he expects CVE-2018-4878 to cause more headaches in the years to come.

“Adobe released a patch early February, but it will take some companies weeks, months or even years to rollout the patch and cyber criminals keep developing new ways to exploit the vulnerability in this window,” he said.

Suggested articles