Targeted Attacks Using Confusion (CVE-2012-0779)

Adobe today issued a security bulletin for a vulnerability in Flash Player, which is currently being used in limited targeted attacks. The targeted attacks leveraging the Adobe Flash Player CVE-2012-0779 Object Type Confusion Remote Code Execution Vulnerability have been in the wild for over a week. The vector of infection, as in most targeted attacks we see, are custom crafted emails with malicious attachments.

For the exploit to successfully work, the malicious attachments need to be opened on a computer with a vulnerable version of Adobe Flash Player. The malicious documents contain an embedded reference to a malicious Flash file hosted on a remote server. When the Flash file is acquired and opened, it sprays the heap with shellcode and triggers the CVE-2012-0779 exploit. Once the shellcode gains control, it looks for the payload in the original document, decrypts it, drops it to disk, and executes it. Symantec detects this payload as Trojan.Pasam.

So far we have identified multiple targets across manufacturers of products used by the defense industry, but this is likely to change in the coming days.
 


 

Some of the subject lines observed in this campaign:

  • [EMAIL USERNAME], The disclosure of [REDACTED] secret weapon deals with the Middle East
  • [EMAIL USERNAME], I heard about the consolidation of [REDACTED], is that true?
  • [COMPANY NAME] is in the unpromising situation after acquisition by [COMPANY]
  • Invitation Letter to [REDACTED] 2012
  • some questions about [REDACTED]
  • China-Russia Joint Military Exercises
  • FOR more information

A sampling of file names for the documents used in this campaign:

  • Consolidation Schedule.doc
  • [COMPANY NAME REDACTED].doc
  • [REDACTED] Invitation Letter to [REDACTED] 2012
  • questions about your course.doc
  • military exercise details.doc

When the user opens the malicious document the vulnerability is exploited in the background and the document is displayed to the end user. The malware authors created several junk documents for such display. Some used scraps of information from public press releases and some were written with the pretext of inviting the recipient to conferences. Others contained random data.
 


 

The malicious files we have observed so far are contacting servers hosted in China, Korea, and the United States to acquire the necessary data to complete the exploitation. This attack is targeting Adobe Flash Player on Internet Explorer for Windows only.

We have seen many of these files circulating in the wild, therefore we advise users to keep their security solutions up to date, and update to the latest version of Flash Player as quickly as possible.