Last Week, Adobe released security update for a Critical Vulnerability, CVE-2015-3113 that affects Adobe Flash on Windows, Mac and Linux. CVE-2015-3113.
This may allow remote attackers to execute arbitrary code.
In The Wild Attacks
There were reports of the “In The Wild Zero Day Attacks” affecting Windows 7 with Internet Explorer and Windows XP with Firefox.
Fireeye reported Operation Clandestine Wolf, which was utilizing this vulnerability as an initial point in infecting victims.
Lets take a look at the malicious Flash file.
Here is the detection rate as seen in Virustotal.
Here is how the Flash file is constructed, do observe a couple of Binary Data blocks. These are later referenced in ActionScript.
Here is the decompilation of the ActionScript embedded in the Flash File.
We can see the control flow where encrypted data is decrypted using a specified key. This is achieved using some array manipulations followed by decode function call.
This function converts the byte array to an integer array.
This is the actual logic of the “decode” routine that utilizes XOR decryption.
Advanced Exploitation Techniques
The exploit has to rely on advanced techniques like Heap Spray and ROP Chain to bypass security mechanisms like DEP, ASLR.
This attack was attributed to China Based Threat Actor, APT3 based on the similarities with Operation Clandestine Fox reported last year. Here, the threat actors similarly had exploited a Zero Day in Internet Explorer before downloading Backdoor on the Victim’s systems and eventually achieving lateral movement across multiple hosts.
They have also been blamed to target high profile industries like Construction, Aerospace, Defense, Telecommunications, etc
Adobe has already released a fix for this vulnerability thus make sure your systems are patched.
Since, it was a Zero day affecting patched versions, you should also consider if disabling Adobe Flash is an option.