Flaw in Adobe Flash Player Used to Install FinFisher Spyware

A serious flaw has been identified in Adobe Flash Player, which can deliver FinFisher spyware, according to security experts. Adobe systems already issued a warning note about the newly identified flaw, which can allow execution of a remote code. The flaw was identified by security firm Kaspersky Lab after the company noticed that the Flash Player was aiding a hacking attempt against one of its customers last week.

“On October 10, 2017, Kaspersky Lab’s advanced exploit prevention systems identified a new Adobe Flash zero-day exploit used in the wild against our customers. The exploit was delivered through a Microsoft Office document, and the final payload was the latest version of the FinFisher malware. We have reported the bug to Adobe who assigned it CVE-2017-11292 and released a patch earlier today,” read the official blog post from Kaspersky Lab.

How does it work

The exploit is a Memory Corruption flaw that already is present in the “com.adobe.tvsdk.mediacore.BufferControlParameters” class, explained Kaspersky researchers. In case the exploit is successful, the payload would attain arbitrary read and write privileges, and it will execute a second stage shellcode.

To avoid detection by antivirus programs, the first stage shellcode is equipped with NOP sled containing alternative instructions, and it is also responsible for second stage shellcode from hxxp://89.45.67107/rss/5uzosoff0u.iaf.

After the second stage shellcode is executed, it is required to download the final payload FinFisher, which it will extract from hxxp://89.45.67107/rss/mo.exe, it will also download a deceptive document to display to the victim and thirdly, it will execute the payload.

As per the findings of Kaspersky, a sinister hacker group has designed this exploit that is initiated using the Adobe Flash Player so that it allows downloading and installation of FinFisher spyware onto the victim’s PC.

As noted above, the exploit is being distributed through a Microsoft Office document and is being sent via email. Until now, just one attack has been identified by Kaspersky which means the number of attacks is quite low or it is a highly targeted campaign.

Two of the documents used by attackers to lure users into downloading FinFisher (Credit: Kaspersky)

What’s FinFisher anyway?

It is worth noting that FinFisher, which is also called FinSpy, is notorious surveillance software that is commonly used by law enforcement agencies and governments across the globe. Nearly 32 countries are suspected to be using FinSpy spyware as per the year 2015 report from University of Toronto’s Citizen Lab.

The payload analysis revealed that BlackOasis is involved in this scheme. It is the same group that was identified to be involved in another Zero-day exploit discovered by security firm FireEye back in September 2017, and in the latest scheme, the same C&C server and FinFisher payload have been used as was the case in previous zero-day.

According to Kaspersky, BlackOasis has been regularly targeting Middle Eastern politicians, activists and bloggers lately and previously it has tried to hack victims by sending malicious code in Word documents. The group is believed to have expert hacking knowledge as it has exploited five previously unknown flaws including zero-days since 2015.

Adobe issued security update

“To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select “About Adobe (or Macromedia) Flash Player” from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system,” said Adobe.

Adobe has released a security update and urged that users patch the vulnerability as soon as possible by downloading the latest version of Flash Player. Most importantly, businesses and organizations need to patch their systems to prevent installation of malicious payload.

This is the second time in a month that hackers have used a vulnerability to deliver FinFisher spyware. Last month, Microsoft issued patches for 85 flaws in which one was used to trick users into downloading and installing FinFisher.

To stay protected, security researchers at Kaspersky Lab are advising users to be cautious while opening emails and never click on an attachment or visit a link before proper verification of the sender.

Related Posts