iPhone 5 Rumors Used as Bait for Adobe Exploit CVE-2012-1535

Thanks to Santiago Cortes for his assistance with this research.

Some samples exploiting the Adobe Flash Player CVE-2012-1535 Remote Code Execution Vulnerability through malicious Word documents have been captured. These samples were observed on Adobe Flash Player 11 Active X, version 11.0.1.152.

The attackers spread the malicious Word documents through email and entice their victims with file names referencing Apple's iPhone.

The .doc files attached to the email contain hidden malicious .swf files. The .swf files then drop more files onto the compromised computer, which are then opened, for example:

  • %Temp%\~WRD0001.doc           
  • %Temp%\Word8.0\ShockwaveFlashObjects.exd
  • %Temp%\Word8.0\ShockwaveFlashObjects.exd             
  • %Temp%\Word8.0\ShockwaveFlashObjects.exd
  • %UserProfile%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol

Meanwhile, the threat is also downloaded and then executed.

The .dll files dropped by the threat are detected as Backdoor.Briba and the dropped .doc files are detected as Trojan.Mdropper.

Adobe has released a security update to correct this vulnerability.