Targeted Attacks Against South Korean Entities May Have Been as Early as November 2017

Blog
February 2, 2018

On January 31, 2018, KrCERT/CC, the Republic of Korea’s (South Korea) Computer Emergency Response Team, released a notice regarding an Adobe Flash vulnerability, designated CVE-2018-4878. The notice stated that this zero-day vulnerability affects all versions of Adobe Flash Player ActiveX up to 28.0.0.137, which Adobe released on January 9, 2018. KrCERT/CC recommended uninstalling Flash Player and refraining from using Internet Explorer until Adobe releases a patch addressing the zero-day.

At least one South Korean security researcher has stated that they observed actors using an operational exploit for this vulnerability in the wild in South Korea. The researcher shared an image of a Microsoft Excel file with a list of various Korean cosmetic products and their prices that purportedly contains the vulnerability. The researcher also claimed that North Korean threat actors are using this exploit to target South Korean entities, but the researcher did not supply any details that could be used to independently corroborate this claim. Additionally, the researcher omitted details regarding how the vulnerability could be exploited.

Based on the debug information, it appears that threat actors have exploited this vulnerability in the wild since as early as November 14, 2017. Security company ESTSecurity published initial analysis related to some of the indicators of compromise (IOCs) related to the exploit.

The exploit contains the following builder path: 

F:\work\flash\obfuscation\loadswf\src

Image 1: The decompiled SWF object contains server beacon information.
Image 1: The decompiled SWF object contains server beacon information.

According to Adobe, a patch for this vulnerability will be available on February 5, 2018. This is a remote code execution vulnerability with a use-after-free impact. The vulnerability affects Adobe Flash 28.0.0.137 and earlier versions.

Flashpoint assesses with moderate confidence that threat actors may continue to successfully exploit this vulnerability in the wild until the official patch is released. Flashpoint also assesses with moderate confidence that implementing protected view for Office documents and disabling Adobe Flash execution may assist with mitigating exposure to this vulnerability.

Appendix: Detection

rule crime_ole_loadswf_cve_2018_4878
{
meta:
   // DESCRIPTION
description = “Detects CVE-2018-4878”
vuln_type = “Remote Code Execution”
vuln_impact = “Use-after-free”
affected_versions = “Adobe Flash 28.0.0.137 and earlier versions”
mitigation0 = “Implement Protected View for Office documents”
mitigation1 = “Disable Adobe Flash”
weaponization = “Embedded in Microsoft Office first payloads”
actor = “Purported North Korean actors”
reference = “hxxps://www[.]krcert[.]or[.kr/data/secNoticeView.do?bulletin_writing_sequence=26998”
 author = “Vitali Kremez, Flashpoint”
    version = “1.1″

strings:
// EMBEDDED FLASH OBJECT BIN HEADER
$header = “rdf:RDF” wide ascii

// OBJECT APPLICATION TYPE TITLE
$title = “Adobe Flex” wide ascii

// PDB PATH
$pdb = “F:\\work\\flash\\obfuscation\\loadswf\\src” wide ascii

// LOADER STRINGS
$s0 = “URLRequest” wide ascii
$s1 = “URLLoader” wide ascii
$s2 = “loadswf” wide ascii
$s3 = “myUrlReqest” wide ascii

condition:
all of ($header*) and all of ($title*) and 3 of ($s*) or all of ($pdb*) and all of ($header*) and 1 of ($s*)
}

IV. Mitigation
A. Implement Protected View for Office documents
B. Disable Adobe Flash execution

Notably, there is no patch for this vulnerability until February 5, 2018 according to Adobe. [3]

V. Indicators of Compromise (MD5):
9593d277b42947ef28217325bcc1fe50
5f97c5ea28c0401abc093069a50aa1f8

1F93C09EED6BB17EC46E63F00BD40EBB

4C1533CBFB693DA14E54E5A92CE6FABA

VI. Command and Control (C2) servers:
hxxp://www[.]dylboiler[.]co[.]kr/admincenter/files/boad/4/manager[.]php
hxxp://www[.]1588-2040[.]co[.]kr/design/m/images/image/image[.]php

VII. PDB path:
F:\work\flash\obfuscation\loadswf\src

SNORT Rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”Possible CVE-2018-4878 check-in alert”; flow:established,to_server; http_uri; content:”?id=”; http_uri; content:”&fp_vs=”; http_uri; content:”&os_vs=”; http_uri; reference: source, Vitali Kremez-Flashpoint; classtype:Trojan-activity; rev:1;)