APT28 is also being named as one of the cyber gangs attempting to take advantage of Adobe Flash vulnerability CVE-2017-11292.
Proofpoint believes APT28, which has ties to the Russian government, is in the mix based on emails sent to various government foreign ministries and business in the aerospace field in Europe and the United States. Trend Micro previously attributed other incidents that attacked this vulnerability, which was patched on October 16, to the BlackOasis APT group. Proofpoint is not sure how APT28 gained access to but suggests it could have bought from BlackOasis, reverse engineered or APT28 discovered the vulnerability on its own.
The cyber gangs are now racing to use the vulnerability before its potential victims patch their systems, Proofpoint said.
APT28 is using specially crafted documents, with titles like World War 3, as the bait to entice the target to open the document that will allow the exploit to be downloaded from APT28's command and control server.
“This malicious document embeds the same Flash object twice in an ActiveX control for an unknown reason, although this is likely an operational mistake. The Flash files work in the same manner as the last known attack using this tool: the embedded Flash decompresses a second Flash object that handles the communication with the exploit delivery server. The only difference is that this second Flash object is no longer stored encrypted,” Proofpoint wrote.