Targeted advanced persistent threat using FinFisher surveillance software identified
Multi-stage attack uses Adobe Flash vulnerability to download FinFisher
An advanced persistent threat (APT) exploiting a new Adobe Flash zero-day exploit that downloads Gamma FinFisher surveillance software has been identified by security vendor Kaspersky.
The threat starts with an infected RTF or other Office file which then triggers an exploit that utilises the Flash zero-day to download FinFisher, which is used to exfiltrate data and monitor activity on the infected Windows machine.
FinFisher is the product of Anglo-German firm Gamma International which sells exploits and surveillance software to nefarious regimes such as Angola, Saudi Arabia and Venezuela. The company was itself hacked in 2014, and many of its secrets were uploaded to the internet. However, the perpetrator of the latest threat seems to be a group known as BlackOasis, one of Gamma's 'legitimate' customers. It uses the latest version of FinFisher.
BlackOasis is probably based in the Middle East. Kaspersky says it has been tracking the group's activities since May 2016. The latest exploit uses command and control servers deployed in previous attacks that were attributed to that actor, it claims, and has a similar modus operandi.
The targets of BlackOasis include senior figures in the UN, think tank members, opposition bloggers and activists and journalists, mostly in the Middle East but also in the UK, Russia, Afghanistan, Nigeria, Libya, Netherlands and Angola. Oil seems to be a common factor linking many of the targets.
The attack begins with the delivery of an Office document, presumably in this instance via e-mail," says Kaspersky. "Embedded within the document is an ActiveX object which contains the Flash exploit."
The Flash object contains an ActionScript which is responsible for extracting the malware which then attacks a memory corruption vulnerability.
If this exploit is successful, "it will gain arbitrary read / write operations within memory, thus allowing it to execute a second stage shellcode," the company continues, adding that the first stage shellcode is designed "to avoid detection by antivirus products looking for large NOP blocks inside Flash files".
This second stage payload is the Gamma FinFisher software which is then injected into the Windows login process. Once active it communicates with three command and control servers which are used to exfiltrate information from the infected machine and to monitor activity.
Adobe has released a patch for the critical exploit, which it has listed as CVE-2017-11292, for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS.
Kaspersky is aware of one incident in which the APT has been used to attack a customer. It advises organisations and individuals to disable Flash where possible and to deploy a "multi-layered approach including access policies, anti-virus, network monitoring and whitelisting" to protect against similar attacks.