Delaware, USA – December 6, 2018 – A week before the official Patch Tuesday, Adobe released the security update that closes two critical vulnerabilities, one of which is a Flash zero-day that actively exploited in the wild. CVE-2018-15982 is a use-after-free security flaw that allows adversaries to execute arbitrary code on the attacked computer and gain full control over the system. This Flash zero-day can be exploited on both 32-bit and 64-bit architectures. Experts from Gigamon and Qihoo 360 Core Security spotted malicious documents with a zero-day embedded as a Flash Active X object inside a Word document. When a victim allows the Flash Active X object to execute, the malicious code drops a JPG file, then unzip another RAR file attached at the end of this JPG file to drop and then run a backdoor trojan. Backdoor can monitor user activities, collect system information and send it to a C&C server, executing shellcode, download files and execute code.
Another patched flaw (CVE-2018-15983) is DLL hijacking vulnerability allowing cybercriminals to gain privilege escalation via Flash Player and load a malicious DLL. Earlier this year another zero-day in Adobe Flash Player was used by an undetermined APT group in a campaign targeted at organizations in Doha, Qatar. It is necessary to update Adobe Flash Player versions 18.104.22.168 or earlier as soon as possible. To uncover ongoing cyber-espionage campaign, you can use free SIEM rules from Threat Detection Marketplace.
Flash zero-day execute embedded in Word document (Sysmon): https://tdm.socprime.com/tdm/info/1402/