In its current form, the attack bundles exploit code for the Flash zero-day (a use-after-free() bug) with an ActiveX call that is embedded within an Office document. The attacker delivers the document via a spear-phishing email. ATR noted that some of the samples appear to mimic documents from a Russian medical clinic, though others were not specifically targeted towards any one company or group.
When the target opens the poisoned Doc, the ActiveX plug-in calls up Flash Player to run the attack code. From there, CVE-2018-15982 is exploited and the malware looks to download its real payload; a remote control tool that collects system info, and relays it to a command and control system.
Yet another critical Adobe Flash bug gets plugged
Posted on Thursday, December 06 2018 @ 10:16 CET by Thomas De Maesschalck