Last Thursday, the Palo Alto Networks Unit 42 threat intelligence team found a watering hole attack on the website of a familiar aerospace firm. The website was jeopardised to launch a watering-hole attack against company customers. It was hosting an Adobe Flash exploit targeting a new vulnerability from the Hacking Team data breach, CVE-2015-5122.
The malware set up by this exploit has been seen in several targeted attacks, providing hackers with a hold on the victim's machine or network.
The exploit file, movie.swf, was compressed, a move often used to avoid anti-virus programs. Once the exploit file was uncompressed, a duplicate was found embedded in the Flash file.
The file was discovered to have steady behaviour with a Trojan called IsSpace. IsSpace could be an evolution of the NFlog backdoor, previously connected to adversary groups DragonOK and Moafee. These groups are thought to be operating out of Southeast Asia. Moafee in particular has been affiliated with attacks on the US defence industrial base.
The CVE-2015-5122 exploit found within the Flash file is practically the same as the original proof of concept (POS) disclosed from the Hacking Team data breach. Trend Micro covers the POC in detail.