Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to carry out early warning analysis of Adobe Flash zero-day vulnerabilities in opposition attacks. the content of the article is of high quality, so the editor shares it for you as a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

Core Security Advanced threat response team has intercepted the 0day vulnerability in the wild attack, attackers in Office documents, web pages, spam embedded malicious Flash attacks, users open files or links will be caught! Please beware of links and documents from unknown sources. Currently, Adobe has not released an official patch. In the further spread of attacks, the use of 360security guards can fully defend and block possible attacks.

Analysis of attacks in the field

Attackers carefully planned social engineering attacks on the relevant personnel, and sent excel bait documents containing vulnerabilities and malicious code to the relevant personnel through live chat tools and mailboxes to trick the victims into opening the trap.

The bait document contains an ActiveX object, which corresponds to a swf file, and the ActiveX object automatically plays the flash content when the document is opened.

After the flash in the bait document is played, the next step is to load the swf file that exploits the Flash zero-day vulnerability (cve-2018-4878) from the remote web server for execution.

The url website of the cve-2018-4878 vulnerability file is a regular Korean company website, which is suspected to have been hacked and completely controlled by an attacker, and the attacker can add arbitrary malicious code to the website.

Hxxp://www.dylboiler.co.kr/admincenter/files/boad/4/manager.php

Furthermore, we analyze the intercepted cve-2018-4878 vulnerability swf file. The vulnerability exists in the DRMManager object of flash. The related method calls are not handled correctly to lead to UAF (Use-After-Free) vulnerabilities. By modifying the Length of the ByteArray object, we can complete arbitrary memory read and write execution and execute the final shellcode code. The related attack exploitation methods are similar to the Flash Exploit techniques used in Hacking Team exposure a few years ago.

Shellcode will eventually download the remote control Trojan for execution. Through the analysis of the Trojan, we find that the Trojan is suspected to be the ROKRAT series Trojan exposed by Cisco Talos Lab, which has also been used for malicious attacks on South Korean office software HWP documents.

On how to carry out Adobe Flash zero-day vulnerability in the wild attack early warning analysis is shared here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.