According to research firm Morphisec, cybercriminals are blasting spam and urging recipients to click on links to download Word documents. The malicious software attempts to exploit the Adobe Flash Player bug that was fixed by Adobe earlier this month (CVE-2018-4878) when the victim opened the document and enabled the macros. The researchers said the victims of the engagement strategy may eventually hand over control of their systems to attackers.
Michael Gorelik, chief technology officer and vice president of research and development at Morphisec, said that as part of its recent spam campaign, the victim sent an e-mail with a short link to a malicious Word document for download. He added that most malicious attachments circumvent AV protection – a lower detection rate on VirusTotal.
After the Word document was downloaded and opened, the exploit exploited the Flash Vulnerability 2018-4878 and opened a (command prompt) and later remotely injected the command via a malicious shellcode connected to the malicious (C2) domain, “Gorelik writes in the Technical Writing Overview Attack. “Next, the shellcode downloads a ‘m.db’dll from the same domain, which is executed using the regsvr32 process so that the whitelist solution can be bypassed.”
The regsvr32 (Microsoft Register Server) process is a command-line utility that is part of the Windows operating system for registering and unregistering DLLs and ActiveX controls in the context of the Windows Registry.
The researchers said the analysis of short links used in email spam campaigns showed the same patterns as legitimate email campaigns, making them hard to detect. Clickthrough rates skyrocketed in the first hours after sending an e-mail, and Gorelik wrote that signature-based defenses, such as antiviral drugs, could not cope with this rate.
Morphisec tracks events for “just a few hours” and targets inboxes in the United States and Europe. Gorelik said: “These files were downloaded from the safe-storge [.] Biz domain and found almost no detection rate of 1/67.”
Commenting on spam campaigns, Adobe spokesmen said that “most exploits are for software that is not up-to-date with the latest security updates and we strongly urge users to install the security updates as soon as possible.”
Looking ahead, Gorelik said he expects CVE-2018-4878 to spark more headaches in the coming years.
“Adobe released a patch in early February but it can take weeks, months, or years to get patches out and cybercriminals are constantly developing new ways to exploit vulnerabilities in this window,” he said.
Morphisec said that it has detected several malicious word documents – part of a “massive” malspam campaign – that takes advantage of a critical Adobe Flash Player vulnerability discovered earlier this month. Engaging post, Read More…
thumbnail courtesy of threatpost.com.
If you like to receive more of these curated safe harbor news alerts then subscribe to my mailing list. and come back soon at https://www.safeharboroncyber.com/Blog/ to read further CyberWisdom Safe Harbor Commentaries. Home » Curated SafeHarboronCyber’s CyberWisdom Post »