Several Targeted Attacks exploiting Adobe Flash Player (CVE-2012-0779)

May 6, 2012 | Jaime Blasco
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

A couple of days ago, Adobe issued a security update for Adobe Flash Player that has been detected in the wild targeting specific objectives.

Several spear phishing campaigns have been detected. The mails sent contain a Word document attachment. It contains a reference to a Flash file that is downloaded from a remote server once the document is opened. This Flash file exploits the CVE-2012-0779 vulnerability triggering a shellcode that looks for the payload within the original word document. The payload is decoded using a one byte XOR scheme, dropped on the system and then executed.

Most of the malicious Flash files have low AV detection rates so it is very important to apply the vendor’s patch.

We have seen several documents sent to a wide range of industries as well as Tibet related NGO’s. Some examples are:

Once the victim opens the document, the malicious Flash file is downloaded from a remote server:

In the vast majority of the documents we have analyzed, the malicious files are hosted on hacked websites.

We will release more information as well as IDS signatures to detect some of the payloads we have seen so far.

Jaime Blasco

About the Author: Jaime Blasco
Jaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AlienVault, Jaime leads the Lab Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AlienVault he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera.
Read more posts from Jaime Blasco ›

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL