Morphisec security experts have found a huge malspam campaign which is exploiting the recently patched CVE-2018-4878 Adobe Flash Player flaw for delivering malware.
After the researchers discovered that the CVE-2018-4878 vulnerability was used by North Korea-linked APT37 group in targeted attacks against South Korea, Adobe fixed the flaw on February 6.
However, the Morphisec experts reported that now the same vulnerability has been exploited by other cybercriminals for delivering malware.
“As expected and predicted, adversaries have quickly adopted the Flash exploit, which is easily reproducible. With small variations to the attack, they successfully launched a massive malspam campaign and bypassed most of the existing static scanning solutions once again.” the Morphisec experts stated.
In the campaign registered on February 22, the attackers used a version of the exploit that was quite similar to the one used by the APT37 group before.
The hackers used spam emails featuring a link to a document stored on safe-storage[.]biz. Being downloaded and opened, the document informs users that the online preview is not available and instructs them how to enable editing mode to view the content.
The URLs included in the emails is generated with Google’s URL shortening service, this circumstance allowed the researchers to determine the number of victims who clicked it.
According to the security experts, each of the different links used in this campaign had been clicked tens and even hundreds of times within 3-4 days of being created.
Once the victim enables the editing mode, the CVE-2018-4878 Adobe flaw is exploited and the Windows command prompt is executed. Then, the associated cmd[.]exe file is injected with malicious shellcode which connects to the hacker’s domain.
After that, the shellcode downloads a dll from the same domain, which is executed using Microsoft Register Server utility to bypass whitelisting solutions.
The security researchers claim that only a limited number of security solutions flag the bait documents as malicious.