A recently patched Flash Player flaw was exploited in a widespread attack spam campaign primarily targeting South Koreans.
The vulnerability was first spotted in the wild as part of a different malspam campaign in late January 2018 by the South Korean Computer Emergency Response Team (KR-CERT), in attacks launched by the North Korean threat group APT 37, also known as Group 123, according to a 4 February Security Boulevard blog post.
Researchers from the Hauri security firm, however believe the exploit has been in use since November 2017. The vulnerability could lead to remote code execution in Adobe Flash Player 22.214.171.124 and earlier versions and potentially allow an attacker to take control of the affected system. The flaw was patched in a 6 February Adobe System update.
The vulnerability was most recently spotted in a new campaign with changes made to bypass traditional static detection systems that already had signatures for the original exploit.
“Researchers from security firm Morphisec now report that they've seen CVE-2018-4878 being exploited in a massive malspam campaign that distributes shortened URLs pointing to malicious Word documents,” researcher said in the blog. “The documents embed the exploit code for the Flash Player vulnerability, which, if executed, will launch cmd.exe and will download an additional payload from a remote server.”
The most recent campaign was spotted on 22 February and was able to bypass most of the existing static scanning solutions due to slight modifications, despite the vulnerability being patched almost a month prior.
“As expected and predicted, adversaries have quickly adopted the Flash exploit, which is easily reproducible,” Morphisec researchers said. “With small variations to the attack, they successfully launched a massive malspam campaign and bypassed most of the existing static scanning solutions once again.”
The use of the exploit highlights the urgency of patching vulnerable equipment as threat actors are getting faster in weaponising exploits.