While Adobe is phasing out its Flash product next year, the problem is the product will live on for quite a while after it is gone.
That is why FireEye developed FLASHMINGO, a framework to automate the analysis of SWF files. FLASHMINGO enables analysts to triage suspicious Flash samples and investigate them further with minimal effort. It integrates into various analysis workflows as a stand-alone application or can be used as a powerful library. Users can easily extend the tool’s functionality via custom Python plug-ins, said Carlos Garcia Parado, senior reverse engineer at FireEye.
Adobe Flash is one of the most exploited software components of the last decade. Its complexity and ubiquity make it an obvious target for attackers, Garcia Parado said. Public sources list more than 1,000 CVEs being assigned to the Flash Player alone since 2005. Almost 900 of these vulnerabilities have a Common Vulnerability Scoring System (CVSS) score of nine or higher.
After more than a decade of playing cat and mouse with the attackers, Adobe is finally deprecating Flash in 2020, Garcia Parado said in a post.
A common misconception exists that Flash is already a thing of the past; however, history has shown us that legacy technologies linger for quite a long time. If organizations do not phase Flash out in time, the security threat may grow beyond Flash’s end of life due to a lack of security patches, Garcia Parado said.
“As malware analysts on the FLARE team, we still see Flash exploits within malware samples,” Garcia Parado said. “We must find a compromise between the need to analyze Flash samples and the correct amount of resources to be spent on a declining product.”
FLASHMINGO leverages the open source SWIFFAS library to do the heavy lifting of parsing Flash files. All binary data and bytecode are parsed and stored in a large object named SWFObject. This object contains all the information about the SWF relevant to our analysis: A list of tags, information about all methods, strings, constants and embedded binary data, to name a few. It is essentially a representation of the SWF file in an easily queryable format.
FLASHMINGO is a collection of plug-ins that operate on the SWFObject and extract interesting information.
FLASHMINGO provides malware analysts a flexible framework to quickly deal with these pesky Flash samples without getting bogged down in the intricacies of the execution environment and file format.
Find the FLASHMINGO tool on the FireEye public GitHub Repository.