Re-purposing Lucrative Exploits

Last month Adobe released a
Flash security update to remediate the zero-day Remote Code Execution (RCE)
CVE-2018-4878 vulnerability that was most visibly being utilized by the North
Koreans to spy upon the south. The South Korean CERT team noted that the exploit
was being actively used by the North to target valuable information assets in
the south as early as 31, January 2017. The vulnerability, scoring a 9.8 out of
10 base score from the National Vulnerability Database (NVD) was quickly
acknowledged by Adobe who posted a bulletin (APSA18-01) with security advisory
details for the critical vulnerability including mitigations. The 9.8 base
score from the NVD was due to the flaw being exploitable over the internet,
requiring low skill to execute the attack, without any privileges on the target
machine, and no user interaction with the target. The exploit is realized by a
malicious malformed flash object being embedded in Office documents. Once
opened the embedded SWF flash file would execute, downloading an additional
payload from the web, the Remote Access Trojan ROKRAT.
 






















Adobe released a patch for the
troubling zero-day on 6 of February to address CVE-2018- 4878 aiming to protect
victims from the RCE vulnerability, but attackers found a new way to exploit
CVE-2018-4878 as noted by TREND MICRO in their February 27, 2018 report stating
“The campaign involves the use of malicious spam – specifically with a
spam email that with an embedded link that directs the recipient to a Microsoft
Word lure document (Detected by Trend Micro as TROJ_CVE20184878.A and
SWF_CVE20184878.A) stored on the malicious website safe-storage[.]biz. After
the file is downloaded and executed, it will prompt the user to enable editing
mode to view what’s inside the document. This document is what triggers the
exploitation of CVE-2018-4878 – in particular, a cmd.exe window is opened that
is remotely injected with a malicious shellcode.”


 This reviving of CVE-2018-4878
illustrates not only the classic “cat and mouse” dance between
attacker and defender but also the ability and keenness of attackers to adapt
methods to keep exploiting lucrative vulnerabilities such as those with high
NVD scores.





Sources:

https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and- exploits/new-campaign-exploits-cve-2018-4878-anew-via-malicious-microsoft- word-documents


 
http://blog.talosintelligence.com/2018/02/group-123-goes-wild.html



Thanks to Peraton CIP report for this information