Blog

Our experts' unique discoveries, observations, and opinions on what’s trending today in Business Risk Intelligence and the Deep & Dark Web.

Blog > Cybercrime > Targeted Attacks Against South Korean Entities May Have Been as Early as November 2017

Targeted Attacks Against South Korean Entities May Have Been as Early as November 2017

On January 31, 2018, KrCERT/CC, the Republic of Korea’s (South Korea) Computer Emergency Response Team, released a notice regarding an Adobe Flash vulnerability, designated CVE-2018-4878. The notice stated that this zero-day vulnerability affects all versions of Adobe Flash Player ActiveX up to 28.0.0.137, which Adobe released on January 9, 2018. KrCERT/CC recommended uninstalling Flash Player and refraining from using Internet Explorer until Adobe releases a patch addressing the zero-day.

At least one South Korean security researcher has stated that they observed actors using an operational exploit for this vulnerability in the wild in South Korea. The researcher shared an image of a Microsoft Excel file with a list of various Korean cosmetic products and their prices that purportedly contains the vulnerability. The researcher also claimed that North Korean threat actors are using this exploit to target South Korean entities, but the researcher did not supply any details that could be used to independently corroborate this claim. Additionally, the researcher omitted details regarding how the vulnerability could be exploited.

Based on the debug information, it appears that threat actors have exploited this vulnerability in the wild since as early as November 14, 2017. Security company ESTSecurity published initial analysis related to some of the indicators of compromise (IOCs) related to the exploit.

The exploit contains the following builder path: 

F:\work\flash\obfuscation\loadswf\src

Image 1: The decompiled SWF object contains server beacon information.

Image 1: The decompiled SWF object contains server beacon information.

According to Adobe, a patch for this vulnerability will be available on February 5, 2018. This is a remote code execution vulnerability with a use-after-free impact. The vulnerability affects Adobe Flash 28.0.0.137 and earlier versions.

Flashpoint assesses with moderate confidence that threat actors may continue to successfully exploit this vulnerability in the wild until the official patch is released. Flashpoint also assesses with moderate confidence that implementing protected view for Office documents and disabling Adobe Flash execution may assist with mitigating exposure to this vulnerability.

Appendix: Detection

rule crime_ole_loadswf_cve_2018_4878
{
meta:
   // DESCRIPTION
description = “Detects CVE-2018-4878”
vuln_type = “Remote Code Execution”
vuln_impact = “Use-after-free”
affected_versions = “Adobe Flash 28.0.0.137 and earlier versions”
mitigation0 = “Implement Protected View for Office documents”
mitigation1 = “Disable Adobe Flash”
weaponization = “Embedded in Microsoft Office first payloads”
actor = “Purported North Korean actors”
reference = “hxxps://www[.]krcert[.]or[.kr/data/secNoticeView.do?bulletin_writing_sequence=26998”
 author = “Vitali Kremez, Flashpoint”
    version = “1.1″

strings:
// EMBEDDED FLASH OBJECT BIN HEADER
$header = “rdf:RDF” wide ascii

// OBJECT APPLICATION TYPE TITLE
$title = “Adobe Flex” wide ascii

// PDB PATH
$pdb = “F:\\work\\flash\\obfuscation\\loadswf\\src” wide ascii

// LOADER STRINGS
$s0 = “URLRequest” wide ascii
$s1 = “URLLoader” wide ascii
$s2 = “loadswf” wide ascii
$s3 = “myUrlReqest” wide ascii

condition:
all of ($header*) and all of ($title*) and 3 of ($s*) or all of ($pdb*) and all of ($header*) and 1 of ($s*)
}

IV. Mitigation
A. Implement Protected View for Office documents
B. Disable Adobe Flash execution

Notably, there is no patch for this vulnerability until February 5, 2018 according to Adobe. [3]

V. Indicators of Compromise (MD5):
9593d277b42947ef28217325bcc1fe50
5f97c5ea28c0401abc093069a50aa1f8

1F93C09EED6BB17EC46E63F00BD40EBB

4C1533CBFB693DA14E54E5A92CE6FABA

VI. Command and Control (C2) servers:
hxxp://www[.]dylboiler[.]co[.]kr/admincenter/files/boad/4/manager[.]php
hxxp://www[.]1588-2040[.]co[.]kr/design/m/images/image/image[.]php

VII. PDB path:
F:\work\flash\obfuscation\loadswf\src

SNORT Rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”Possible CVE-2018-4878 check-in alert”; flow:established,to_server; http_uri; content:”?id=”; http_uri; content:”&fp_vs=”; http_uri; content:”&os_vs=”; http_uri; reference: source, Vitali Kremez-Flashpoint; classtype:Trojan-activity; rev:1;)

 

About the author: Vitali Kremez

Vitali Kremez is a Director of Research at Flashpoint. He leads a technical team that specializes in researching and investigating complex cyber attacks, network intrusions, data breaches, and hacking incidents. Vitali is a strong believer in responsible disclosure and has helped enterprises and government agencies deliver indictments of many high-profile investigations involving data breaches, network intrusions, ransomware, computer hacking, intellectual property theft, credit card fraud, money laundering, and identity theft. Previously, Vitali enjoyed a rewarding career as an Cybercrime Investigative Analyst for the New York County District Attorney's Office.

He has earned the majority of certifications available in the information technology, information security, digital forensics, and fraud intelligence fields. A renowned expert, speaker, blogger, and columnist, Vitali has contributed articles to Dark Reading, BusinessReview, and Infosecurity Magazine and is a frequent commentator on cybercrime, hacking incidents, policy, and security.

About the author: Ronnie Tokazowski

Ronnie Tokazowski is a Senior Malware Analyst at Flashpoint who specializes in APT, crimeware, and cryptanalysis. When he’s not cooking, he’s reversing new strains of malware and breaking different malware protocols in order to understand how they work.