An analysis of an MS office document exploiting a zero-day flash player vulnerability (CVE-2018-4878)

Credit to Author: Quick Heal Security Labs| Date: Wed, 07 Feb 2018 13:59:42 +0000

Important update! Adobe Systems released a critical security update on 6.02.2017 to fix the vulnerability discussed in this post. We recommend you to apply the update immediately. Summary of the vulnerability CVE-2018-4878 is a use-after-free vulnerability present in Adobe Flash Player 28.0.0.137 and its earlier versions are being exploited in the wild. A successful exploitation of this vulnerability could allow attackers to take control of the affected system. Attackers use a MS Office document which is distributed via a crafted email attachment (content embedded malformed Flash ActiveX object) to exploit this vulnerability. Quick Heal had earlier published an advisory on this vulnerability. Quick Heal analysis Quick Heal Security Labs came across a malicious Excel document that uses this zero-day vulnerability. The following is an analysis of the exploit sample. Components of the XLSX document Figure 1 Figure 2 displays the content of the decoy document (in Korean). Figure 2 As shown in figure 2, the content of the decoy document is related to ‘cosmetic products’ along with their price. As shown in figure 1, the malicious document contains an embedded Flash Player File (SWF) which in turn contains another encrypted SWF file, highlighted in figure 3 below. Figure 3 The following ActionScript snippet is used to decrypt the embedded SWF file. Figure 4 Upon opening the document, EXCEL.EXE loads a vulnerable version of Flash Player ActiveX (Flash32_XX_X_X_XXX.ocx) which is used to execute the embedded SWF file. Figure 5 Unfortunately, at the time of our analysis, the C&C server did not respond and the attack could not proceed further for us to analyze it. Details of the HTTP request sent by the exploit. Figure 6 Definitions of the highlighted sections in figure 6. ID: Unique Identifier FP_VS: Flash Player version installed on the victim system OS_VS: installed on the Operating System version of victim system Indicators of compromise 5F97C5EA28C0401ABC093069A50AA1F8 www[.]dylboiler[.]co[.]kr What to do? Update your Flash Player. Adobe has released the security update to fix the discussed vulnerability Update your antivirus Enable Protected Mode for MS Office applications Until you apply the fix, block Flash Player ActiveX for MS Office applications temporarily. Click here to know how to do this Conclusion The attacker has encrypted a Flash object to make the analysis complex and difficult. The exploit retrieves the decryption key from the C&C Server which is currently inactive. We are actively looking for other variants of this exploit for a detailed analysis.   The post An analysis of an MS office document exploiting a zero-day flash player vulnerability (CVE-2018-4878) appeared first on Quick Heal Technologies Security Blog | Latest computer security news, tips, and advice.
http://blogs.quickheal.com/feed/