Targeted Attacks Against South Korean Entities May Have Been as Early as November 2017
On January 31, 2018, KrCERT/CC, the Republic of Korea’s (South Korea) Computer Emergency Response Team, released a notice regarding an Adobe Flash vulnerability, designated CVE-2018-4878. The notice stated that this zero-day vulnerability affects all versions of Adobe Flash Player ActiveX up to 18.104.22.168, which Adobe released on January 9, 2018. KrCERT/CC recommended uninstalling Flash Player and refraining from using Internet Explorer until Adobe releases a patch addressing the zero-day.
At least one South Korean security researcher has stated that they observed actors using an operational exploit for this vulnerability in the wild in South Korea. The researcher shared an image of a Microsoft Excel file with a list of various Korean cosmetic products and their prices that purportedly contains the vulnerability. The researcher also claimed that North Korean threat actors are using this exploit to target South Korean entities, but the researcher did not supply any details that could be used to independently corroborate this claim. Additionally, the researcher omitted details regarding how the vulnerability could be exploited.
Based on the debug information, it appears that threat actors have exploited this vulnerability in the wild since as early as November 14, 2017. Security company ESTSecurity published initial analysis related to some of the indicators of compromise (IOCs) related to the exploit.
The exploit contains the following builder path:
According to Adobe, a patch for this vulnerability will be available on February 5, 2018. This is a remote code execution vulnerability with a use-after-free impact. The vulnerability affects Adobe Flash 22.214.171.124 and earlier versions.
Flashpoint assesses with moderate confidence that threat actors may continue to successfully exploit this vulnerability in the wild until the official patch is released. Flashpoint also assesses with moderate confidence that implementing protected view for Office documents and disabling Adobe Flash execution may assist with mitigating exposure to this vulnerability.
description = “Detects CVE-2018-4878”
vuln_type = “Remote Code Execution”
vuln_impact = “Use-after-free”
affected_versions = “Adobe Flash 126.96.36.199 and earlier versions”
mitigation0 = “Implement Protected View for Office documents”
mitigation1 = “Disable Adobe Flash”
weaponization = “Embedded in Microsoft Office first payloads”
actor = “Purported North Korean actors”
reference = “hxxps://www[.]krcert[.]or[.kr/data/secNoticeView.do?bulletin_writing_sequence=26998”
author = “Vitali Kremez, Flashpoint”
version = “1.1″
// EMBEDDED FLASH OBJECT BIN HEADER
$header = “rdf:RDF” wide ascii
// OBJECT APPLICATION TYPE TITLE
$title = “Adobe Flex” wide ascii
// PDB PATH
$pdb = “F:\\work\\flash\\obfuscation\\loadswf\\src” wide ascii
// LOADER STRINGS
$s0 = “URLRequest” wide ascii
$s1 = “URLLoader” wide ascii
$s2 = “loadswf” wide ascii
$s3 = “myUrlReqest” wide ascii
all of ($header*) and all of ($title*) and 3 of ($s*) or all of ($pdb*) and all of ($header*) and 1 of ($s*)
A. Implement Protected View for Office documents
B. Disable Adobe Flash execution
Notably, there is no patch for this vulnerability until February 5, 2018 according to Adobe. 
V. Indicators of Compromise (MD5):
VI. Command and Control (C2) servers:
VII. PDB path:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”Possible CVE-2018-4878 check-in alert”; flow:established,to_server; http_uri; content:”?id=”; http_uri; content:”&fp_vs=”; http_uri; content:”&os_vs=”; http_uri; reference: source, Vitali Kremez-Flashpoint; classtype:Trojan-activity; rev:1;)