Adobe 0-days exploited for IEEE aerospace spearphishing attacks

Last week Adobe released a patch for Adobe Flash that fixed a zero day vulnerability, CVE-2013-0633, that is being exploited using Microsoft Office files with embedded flash content delivered via email. The vulnerability is not isolated, it is circulating the news of a new one coded CVE-2013-0634 being exploited trough web browsers such as Firefox and Safari on Mac OSX that has been identified by FireEye security firm.

Adobe credited the CERT of aerospace company Lockheed Martin for discovering that exploit, providing further indication of the caliber of target the hackers were seeking.

Last Friday Adobe’s patched one zero day vulnerability being exploited with malicious embedded Flash content in Microsoft Office documents for Windows that were delivered as emailed attachments.

Security researchers at Alien Vault revealed that attackers delivered the exploits with a targeted spear phishing campaign aimed at the US aerospace sector and industry.

Jaime Blasco, director at Alienvault Labs revealed that one of the Office attachments used to carried the Flash exploit was a 2013 Institute of Electrical and Electronics Engineers (IEEE) Aerospace Conference schedule.

Another sample isolated is  an “Employee Quick Reference Guide” related with an online payroll system, the  Automatic Data Processing (ADP), used by several companies in the US such as Alcoa.

The analysis proposed by FireEye revealed interesting particulars, despite Word files are in English the codepage of Word files are “Windows Simplified Chinese (PRC, Singapore)”. The Word files contain a macro to load an embedded SWF flash object, the flash files contain several ActionScript classes that checks for specific Flash and operating system versions and specific code to trigger the exploit.

“Two oddities of the malware were a coding reference to “Lady Boyle”, a character in the adventure game, “Dishonored”. The authors also failed to obfuscate the malicious Flash file, leaving it open to detection by generic antivirus signatures.”

Also in this case the malicious code was digitally signed with an invalid digital certificate from the Korean gaming company, MGAME Corporation, the same digital document  was also used to sign PlugX remote access tool (RAT) in past attacks on NGOs, according to AlienVault.

“We have seen this certificate dozens of times in the past as part of targeted attacks including NGO’s to sign several RAT files including PlugX.”

The same executable renames itself to try to pass itself off as the Google update process.

The situation is very worrying, the exploit of zero-day vulnerabilities leaves vulnerable target systems. Fortunately it is not so easy to discover a zero-days and in majority of cases their exploits are related to state sponsored attacks. These offensives are typically structured operation susteined by intense researches aimed to discovery a huge quantities of vulnerabilities to exploit during the attacks, campaigns such as the famous Operation Aurora and the most recent Elderwood project.

Pierluigi Paganini