Adobe patched this week a zero-day vulnerability (CVE-2016-4171) used in targeted cyber-espionage attacks, which according to Russian security vendor Kaspersky Lab, abused the Windows DDE protocol to deliver malware.
News broke out about the presence of this new zero-day on Tuesday, and two days later Adobe releasedto fix the zero-day and 35 other security bugs.
StarCruft APT currently conducting two cyber-espionage campaigns
Security firm Kaspersky Lab discovered the zero-day, and in its initial report, the company said the vulnerability was part of the arsenal of a cyber-espionage group which they codenamed StarCruft.
The group had carried out multiple cyber-attacks, which the company was tracking as Operation Erebus, and Operation Daybreak.
The zero-day was part of the more recent Operation Daybreak campaign, during which Kaspersky says the group also used two other Adobe exploits (CVE-2016-4117 and CVE-2016-0147) and an Internet Explorer exploit. For Operation Erebus, Kaspersky said the group used only CVE-2016-4117, which was served through watering hole attacks.
Spear-phishing emails led users to exploit kits
In the case of Operation Daybreak, StarCruft used spear-phishing emails. These emails contained links that redirected targets to Web pages PDFs, but also hosting exploit kits.
When users accessed these URLs, the malicious websites would deliver three SWF files containing Flash exploits. The second SWF file in this chain carried the zero-day’s malicious code.
Kaspersky says the zero-day exploited the Flash code that parses the ExecPolicy metadata information. The crooks were feeding invalid values to a key-value store that led to an out-of-bounds memory corruption issue, allowing the attackers to execute code on the infected machine.
StarCruft was force-feeding victims a DLL named yay_release.dll, which the hackers would load in Flash Player. The malicious code found inside this DLL contained a routine for bypassing security products.
Second zero-day detected by Kaspersky this year
Threat actors were using the Windows DDE component to create a malicious subroutine, which antivirus products wouldn’t be able to pick-up.
Kaspersky says that updates made earlier in the year to its security product allowed them to pick-up the zero-day’s malicious routine. The company says this is the second Flash zero-day their updated software was able to pick up this year alone after it.
Windows DDE stands for Dynamic Data Exchange and is a protocol that details methods for transferring data between applications.
For this particular case, Kaspersky notes the crooks used a never-before-seen DDE trick. StarCruft hackers were employing the malicious yay_release.dll to tell Windows DDE to create an LNK file, which they launched into execution.
This LNK file would execute a VBS script that would connect to a website and download a CAB file that contained a very rare trojan, used only in StarCruft attacks.
Zero-day used for over two-dozen attacks
The security vendor noted that StarCruft used the Flash zero-day to spy on targets such as a law enforcement agency in an Asian country, employees of one of the largest Asian trading companies, a restaurant located in Dubai’s biggest malls, and a mobile advertising company in the US. Additionally, the StarCruft APT also targeted members of the International Association of Athletics Federations.
“Nowadays, in-the-wild Flash Player exploits are becoming rare. This is because in most cases they need to be coupled with a Sandbox bypass exploit, which makes them rather tricky,” Kaspersky’s Costin Raiu and Anton Ivanov concluded in a recentbreaking down the latest zero-day.
“Additionally, Adobe has been doing a great job at implementing new mitigations to make exploitation of Flash Player more and more difficult,” the two also added.
Kaspersky has also informed Microsoft of the Windows DDE attack. It is worth noting that while the DDE exploit managed to bypass some AV software, Microsoft EMET was able to detect and counteract the attack.