A Flash Player Zero Day is now in the process of being used in an attack, researchers said.
The Zero Day, CVE-2018-4878, is in the process of being leveraged by North Korean hackers FireEye calls TEMP.Reaper and Cisco calls it Group 123.
“We have observed TEMP.Reaper operators directly interacting with their command and control infrastructure from IP addresses assigned to the STAR-KP network in Pyongyang. The STAR-KP network is operated as a joint venture between the North Korean Government’s Post and Telecommunications Corporation and Thailand-based Loxley Pacific,” FireEye researchers said in a post.
“Historically, the majority of their targeting has been focused on the South Korean government, military, and defense industrial base; however, they have expanded to other international targets in the last year.”
In this latest attack, first discovered by the South Korean CERT, the targets were obviously South Korean.
The Excel file carrying an embedded SWF file with the exploit is in Korean.
“Upon opening and successful exploitation, a decryption key for an encrypted embedded payload would be downloaded from compromised third-party websites hosted in South Korea. Preliminary analysis indicates that the vulnerability was likely used to distribute the previously observed DOGCALL malware to South Korean victims,” FireEye researchers said.
Cisco researchers call the malware ROKRAT, and it allows attackers to fiddle with the compromised system remotely.
“One of the ROKRAT samples identified used a naming reference to Hancom Secure AnySign. It is a reference to a legitimate application developed by Hancom Secure for PKI & authentication mechanisms. It is a software application used to protect user data and is massively used in South Korea,” Cisco researchers said in a post.
“This payload is a shellcode loaded in memory and executed. We identified Flash exploits from November 2017,” the researchers said.
This was apparently an extremely targeted attack, and it is unlikely that anyone else is taking advantage of the exploit – for now. Still, with the vulnerability now public, it’s likely that criminals are already working on creating an exploit.
Adobe said it “will address this vulnerability in a release planned for the week of February 5.”