Delaware, USA – June 8, 2018 – An unknown APT group is conducting a cyber-espionage campaign that targeted organizations in Doha, Qatar. The campaign was uncovered by experts from 360 Core Security, its detailed analysis showed that the adversaries prepared for the operation for several months. Adversaries send phishing emails with a carefully crafted Microsoft Excel document. The attached document has an embedded link to the SWF file, which is automatically executed after the download. Then this file receives from the C2 server an encrypted Flash zero-day exploit, which installs a trojan on the attacked system. Vulnerability CVE-2018-5002 allows executing arbitrary code on an infected device. Adobe has already issued patch closing this vulnerability, as well as several other critical vulnerabilities.
CVE-2018-5002 is not the first Adobe Flash zero-day vulnerability discovered this year and actively used by cybercriminals in attacks. Make sure that you updated Flash on all systems to version 220.127.116.11. The exploitation of zero-days allows attackers to install various malware bypassing security solutions, so additional tools are required to detect malicious activity. You can use your SIEM and APT Framework to allow the most efficient use of existing technologies in your organization. You can also use Sigma UI module in Threat Detection Marketplace to create rules online and link them directly to your SOC and Threat hunting operations.