Adobe issued an out-of-band update for Flash Player that patches a Zero Day remote code execution vulnerability.
The vulnerability is currently undergoing exploitation, said researchers at Kaspersky Lab. They spotted the live attacks on October 10 and said the exploit is delivered through a Microsoft Word document and deploys the most recent version of the FinSpy (aka FinFisher) commercial malware developed by Gamma International.
The researchers said the BlackOasis attack group is leveraging the Zero Day.
“The FinSpy payload used in the current attacks (CVE-2017-11292) shares the same command and control server as the payload used with CVE-2017-8759 uncovered by FireEye,” Kaspersky researchers said.
Once CVE-2017-11292 is exploited, the FinSpy malware ends up installed on the target computer and connects to C&C servers located in Switzerland, Bulgaria and the Netherlands, to await further instructions and exfiltrate data. At the same time, a lure/decoy document is displayed to the victim.
The researchers believe these attacks are minimal and highly targeted, as they flagged only one in their customer base.
Adobe said the vulnerability is currently being exploited in attacks against users running Windows, but affected product versions also include:
• Adobe Flash Player Desktop Runtime for Macintosh and Linux
• Adobe Flash Player for Microsoft Edge and Internet Explorer 11 (Windows 10 and 8.1)
• Adobe Flash Player for Google Chrome (on Windows, Macintosh, Linux and Chrome OS).