?Flash? attack detected anew

Share on facebook
Share on twitter
Share on linkedin
Share on email

[/caption] The attacks leveraging, the Adobe Flash Player Object Type Confusion Remote Code Execution Vulnerability, have been in the wild for over a week at this point, according to Symantec. The vector of infection, as in most targeted attacks, is custom crafted emails with malicious attachments. Up to this point, the attacks have been aimed at multiple targets across manufacturers of products used by the defense industry. The malicious documents contain an embedded reference to a malicious Flash file hosted on a remote server. When the Flash file is acquired and opened, it sprays the heap with shellcode and triggers the CVE-2012-0779 exploit. Once the shellcode gains control, it looks for the payload in the original document, decrypts it, drops it to disk, and executes it. Symantec detected this payload as Trojan.Pasam. ?So far we have identified multiple targets across manufacturers of products used by the defense industry, but this is likely to change in the coming days,? the company said. When the user opens the malicious document, the vulnerability is exploited in the background and the document is displayed to the end user. The malware authors created several junk documents for such display. Some used scraps of information from public press releases and some were written with the pretext of inviting the recipient to conferences. Others contained random data. The malicious files we have observed so far are contacting servers hosted in China, Korea, and the United States to acquire the necessary data to complete the exploitation. This attack is targeting Adobe Flash Player on Internet Explorer for Windows only. ?We have seen many of these files circulating in the wild, therefore we advise users to keep their security solutions up to date, and update to the latest version of Flash Player as quickly as possible,? Symantec said. ]]>

Facebook Comments

Latest Posts

Archives