More than three months after it was patched, attackers are still using a vulnerability in Adobe’s Flash product in targeted, ‘APT-style’ attacks. The vulnerability, identified as CVE-2012-0754 was patched in February and linked to targeted attacks weeks later. But new attacks targeting unpatched systems are still circulating, according to a report from Xecure Lab, which reported that attackers are continuing to refine their technique even months after Adobe issued a patch for the hole.
CVE-2012-0754 was patched on February 15. It is a remote code execution bug that affects versions of Flash running on a number of platforms, including Windows, Linux, Solaris and Android.
Xecure said that it detected a variant of the “SB” family of Trojan being installed in attacks that leverage the Flash bug.
Independent analysis on another, recent PDF that also targeted the -0754 vulnerability by researcher Brandon Dixon revealed ties to a series of targeted attacks dating both to March and a separate attack in late April, Dixon wrote on the 9bplus blog. The malware used in that attack was similar to a family identified by Symantec as “Barkiofork” and Trojan.ADH.2, though the final analysis is not in, Dixon wrote. The malware used a PDF document on “Understanding Blood Tests Without a Medical Degree” and connected to a remote command and control server and relayed information from the infected host.
This isn’t the first time that attackers have taken advantage of the -0754 vulnerability. In March, security researchers recovered e-mail messages containing malicious Word for Windows document attachments that exploited the Flash vulnerability with a malicious MP4 pulled from a server controlled by the attacker. However, the latest attacks improve upon the March attacks: using a malicious PDF instead of a Word document and bundling the MP4 file that exploits the vulnerability in the PDF, Xecure said.
Correction: An earlier version of this story stated, inaccurately, that the PDF analyzed by Dixon was identical to the one analyzed by Xecure. The story has been corrected. — PFR 5/23/2012