Report: Adobe zero-day exploit similar to HackingTeam tool

Written by

Adobe issued a new patch for a zero-day security vulnerability that exploited a flaw in the company’s Flash Player. The flaw, uncovered by researchers from the security vendor Gigamon, was exploitable through Microsoft Word, according to a report published Wednesday.

Researchers discovered the vulnerability after a Ukrainian IP address submitted the details to VirusTotal, a malware analysis site, the Gigamon report said. The document was made to look like a job application form for a Russian health clinic, but in fact was meant to deliver reconnaissance malware. Researchers also said the hacking technique was similar to tools used by HackingTeam, an Italian surveillance company that had much of its spyware leaked in 2015.

Gigamon researchers did not attribute this malware to HackingTeam because many of the company’s tools have been publicly accessible online for three years, meaning other hackers could have replicated some of that malicious code. The researchers also did not prioritize attribution, arguing that it’s more important to protect against the attack.

“At best, [attribution] could aid the victim’s organization in determining intent and guiding response actions, but in reality, whether it is Hacking Team, a impersonator, or completely unrelated, the fact remains a valid zero-day might have been used to perform targeted exploitation against a victim,” the researchers wrote.

Researchers say the malicious Word document contains an embedded Flash ActiveX control — a way to use Flash Player within Microsoft Office program — which detects when the document is opened, then exploits Flash within Microsoft Word. The technique highlights how Adobe’s Flash player, despite years of warnings from security researchers, still is a popular method of attack for hackers.

“Although the death of Flash has been widely reported thanks to industry efforts to deprecate and remove Flash from web browsers, vectors such as Microsoft Office remain able to load and execute Flash content,” the report says. “Flash exploitation can be expected to continue as long as there are valid weaponization vectors that permit reliable execution.”

Researchers said with moderate confidence that the payload associated with the attack is a variant of the Scout malware, which is linked to HackingTeam. Scout collects system information form its target and sends it back to the perpetrator’s sever.

The phishing files and payloads have attributes that might make them look benign to defensive programs on the victim’s computer, like metadata and certificates associated with legitimate organizations.

Gigamon researchers note that they did not observe the attack affecting any victims. However the specific premise of the lure Word document makes this look like a highly targeted attack, researchers said. They cautioned that they have observed “other spear phishing attacks with lures with no relation to their actual targets and thus without visibility over the affected persons.”

The research was done by Gigamon’s Applied Threat Research (ATR) team, which was recently integrated into the company when Gigamon acquired network security startup ICEBRG.

The disclosure to Adobe prompted the company to release an out-of-band patch on Wednesday, two weeks after another unscheduled patch for a zero-day flaw (CVE-2018-15982). Flash is considered one of the most risk-prone popular programs and Adobe has said it will stop supporting it in 2020.