Another Adobe Flash zero-day

Almost exactly one month ago we warned about a zero-day in Flash which was being exploited in targeted attacks. Back then, malicious SWF files were embedded inside Microsoft Excel files. Excel was used strictly as a delivery vehicle.

This month, it’s Microsoft Word’s turn. The malicious .doc referenced by Brian Krebs shares a lot of commonalities with the malicious Excel sheet from last month. So if they aren’t the same gang as before the attackers were at least inspired by this previous incident.

In contrast to last month, there’s no Poison Ivy backdoor installed in this case. This time the attack involves a Backdoor which some vendors refer to as Zolpiq, though most will be calling it something generic.

The way Zolpiq manifests itself on the system is a bit more stealthy than Poison Ivy. This may explain the shift away from the popular Poison Ivy kit. We added detection for this backdoor yesterday, as Trojan-Dropper.Win32.Small.hgt.

Overall, the same comments from last month still stand. If we want to more effectively fight these targeted attacks software vendors need to give us the option to disable features. I don’t want to view embedded Flash files in Word or Excel and neither should you. But other than uninstalling applications there isn’t a choice currently.

Another Adobe Flash zero-day

Your email address will not be published. Required fields are marked *



The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Subscribe to our weekly e-mails

The hottest research right in your inbox