There is an Adobe Flash Zero Day exploit delivered through a Microsoft Word document that deploys the FinSpy commercial malware.
The Zero Day, CVE-2017-11292, has been spotted in a live attack, and they advise businesses and government organizations to install the update from Adobe immediately.
Kaspersky Lab discovered the vulnerability and reported it to Adobe, which issued an advisory.
The researchers believe the group behind the attack was also responsible for CVE-2017-8759, another Zero Day, reported in September — and they are confident the threat actor involved is BlackOasis, which the Kaspersky Lab Global Research and Analysis Team began tracking in 2016.
Upon successful exploitation of the vulnerability, the FinSpy malware (also known as FinFisher) is installed on the target computer, researchers said. FinSpy is a commercial malware, typically sold to nation states and law enforcement agencies to conduct surveillance. In the past, use of the malware was mostly domestic, with law enforcement agencies deploying it for surveillance on local targets.
BlackOasis is a significant exception to this — using it against a wide range of targets across the world. It appears now FinSpy is employing global intelligence operations, with one country using it against another.
The malware used in the attack is the most recent version of FinSpy, equipped with multiple anti-analysis techniques to make forensic analysis more difficult.
After installation, the malware establishes a foothold on the attacked computer and connects to its command and control servers located in Switzerland, Bulgaria and the Netherlands, to await further instructions and exfiltrate data, the researchers said.
BlackOasis’ interests involve aspects of Middle Eastern politics, including prominent figures in the United Nations, opposition bloggers and activists, as well as regional news correspondents. They also appear to have an interest in specific regional verticals. During 2016, the company’s researchers observed a heavy interest in Angola, exemplified by lure documents indicating targets with suspected ties to oil, money laundering and other activities.
So far, victims of BlackOasis have been in: Russia, Iraq, Afghanistan, Nigeria, Libya, Jordan, Tunisia, Saudi Arabia, Iran, the Netherlands, Bahrain, United Kingdom and Angola.
“The attack using the recently discovered Zero Day exploit is the third time this year we have seen FinSpy distribution through exploits to Zero Day vulnerabilities,” said Anton Ivanov, lead malware analyst at Kaspersky Lab. “Previously, actors deploying this malware abused critical issues in Microsoft Word and Adobe products. We believe the number of attacks relying on FinSpy software, supported by Dero day exploits such as the one described here, will continue to grow.”
Kaspersky Lab researchers advise organizations to take the following actions:
• If not already implemented, use the killbit feature for Flash software and, wherever possible, disable it completely
• Implement an advanced, multi-layered security solution that covers all networks, systems and endpoints
• Educate and train personnel on social engineering tactics as this method is often used to make a victim open a malicious document or click on an infected link
• Conduct regular security assessments of the organization’s IT infrastructure
Click here for more technical details, including indicators of compromise and YARA rules.