Yet another group of attackers has quickly cashed in on one of the Adobe Flash zero days uncovered in the HackingTeam leak and is leveraging it to target Japanese organizations.
Last week researchers determined that attackers were able to compromise two Japanese websites, the country’s International Hospitality and Conference Service Association (IHCSA) and Cosmetech, Inc. to exploit CVE-2015-5122, one of two Flash zero day vulnerabilities Adobe patched last Tuesday.
The group is hosting their infrastructure between the two Japanese sites, via a strategic web compromise, which has led researchers to believe the attackers are targeting organizations in Japan.
According to FireEye, who discovered the attacks and claims its observed at least two victims so far, the exploit is a two-step process: Users who visit a particular URL on the IHCSA’s site are redirected to the HackingTeam Adobe Flash framework on Cosmetech’s website. From there, assuming the user is running an old version of Flash, the site drops a malicious .SWF file, which in turn, drops a relatively new strain of malware, SOGU.
While the malware – which also goes by the nickname Kaba – is a backdoor widely used by Chinese threat groups, researchers couldn’t directly connect any specific Chinese APT group to the campaign outright.
FireEye couldn’t confirm how organizations were targeted but suggests that since other, similar APT groups that have used Hacking Team Flash zero days this month have done so via spearphishing, victims from this campaign may have also been lured with phishing emails.
It’s been a rocky summer for Adobe; it was about a week ago that the company rushed out a new version of Flash that addressed both CVE-2015-5122, first disclosed to Adobe by FireEye, along with another that surfaced in the HackingTeam breach earlier this month, CVE-2015-5123.
The new group is one of several in the wake of the HackingTeam breach to incorporate an Adobe zero day into their campaign.
Just days after the breach came to light, attackers with both APT 18 and APT 3 began using CVE-2015-5119, the first Flash vulnerability that emerged, to carry out phishing attacks against a slew of organizations. Adobe addressed that vulnerability, along with 46 other bugs in Reader, Acrobat and Shockwave, with a security update the week before last.