Discovered by Qihoo 360 Core Security, it makes use of Excel documents to deliver trojans and backdoors. This method reduces the chance of detection by anti-viruses and doesn’t require flash enabled in the browser. To do so, the Excel file calls the flash exploit from a remote server, allowing them to serve it to victims depending on IP address, cloud provider, or security product. A SWF file is then downloaded by a domain created by the attacker, which requests encrypted data and decryption keys used to conceal the exploit. From there, it can trigger the exploit and download malicious shell code. According to Iceberg, this usually consists of a backdoor and other tools to control the user’s machine. It’s a sophisticated attack that’s very difficult to detect, and users should update their flash player immediately to avoid it.
Fix Already Live
Patch CVE-2018-5002 gives users a prompt about potential security risk before loading remote content, mitigating much of the risk. It addresses three additional flaws, so it’s well-worth getting up to date. As for the origins of the attacks, neither Qihoo or Iceberg attribute it to a particular country. However, Qihoo notes that “All clues show this is a typical APT attack,” and Qatar is the suspected target. For the unfamiliar, APT stands for advanced persistent threat. They are highly stealthy and sophisticated and often run for a long period of time. As a result, they often require a huge amount of resources that are persistent with a nation-state. You can read more about the exploit on the Iceberg and Qihoo blogs.
