A new Adobe Flash zero-day vulnerability (CVE-2018-4878) has been spotted being exploited in the wild.
The vulnerability exists in Adobe Flash Player 18.104.22.168 and earlier versions; successful exploitation could allow an attacker to take control of the affected system.
The actors are using a malicious document or spreadsheet with an embedded SWF file. Once the document is opened and the exploitation successfully launched, a decryption key for an encrypted embedded payload would be downloaded from compromised third-party websites hosted in South Korea.
FireEye also said that the actor behind the attack appears to be a North Korean group known as TEMP.Reaper – a group that typically targets South Korean government, military and defense-industrial entities. Cisco calls the group Group 123.
“We have observed TEMP.Reaper operators directly interacting with their command-and-control infrastructure from IP addresses assigned to the STAR-KP network in Pyongyang,” FireEye researchers said in an analysis. “The STAR-KP network is operated as a joint venture between the North Korean Government’s Post and Telecommunications Corporation and Thailand-based Loxley Pacific.”
FireEye’s preliminary analysis indicates that the actors are exploiting the vulnerability to distribute the DOGCALL malware to South Korean victims; Cisco calls the malware ROKRAT. In any case it’s a remote administration tool (RAT), which contains a wiper as one of its modules and is mainly focused on espionage and data exfiltration.
The wiper is a new trick for TEMP.Reaper/Group 123. “In the past year, FireEye iSIGHT Intelligence has discovered newly developed wiper malware being deployed by TEMP.Reaper, which we detect as RUHAPPY,” said FireEye. “While we have observed other suspected North Korean threat groups such as TEMP.Hermit employ wiper malware in disruptive attacks, we have not thus far observed TEMP.Reaper use their wiper malware actively against any targets.”