Incidents

Another Adobe Flash zero-day

Almost exactly one month ago we warned about a zero-day in Flash which was being exploited in targeted attacks. Back then, malicious SWF files were embedded inside Microsoft Excel files. Excel was used strictly as a delivery vehicle.

This month, it’s Microsoft Word’s turn. The malicious .doc referenced by Brian Krebs shares a lot of commonalities with the malicious Excel sheet from last month. So if they aren’t the same gang as before the attackers were at least inspired by this previous incident.

In contrast to last month, there’s no Poison Ivy backdoor installed in this case. This time the attack involves a Backdoor which some vendors refer to as Zolpiq, though most will be calling it something generic.

The way Zolpiq manifests itself on the system is a bit more stealthy than Poison Ivy. This may explain the shift away from the popular Poison Ivy kit. We added detection for this backdoor yesterday, as Trojan-Dropper.Win32.Small.hgt.

Overall, the same comments from last month still stand. If we want to more effectively fight these targeted attacks software vendors need to give us the option to disable features. I don’t want to view embedded Flash files in Word or Excel and neither should you. But other than uninstalling applications there isn’t a choice currently.

Another Adobe Flash zero-day

Your email address will not be published. Required fields are marked *

 

Reports

LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Andariel evolves to target South Korea with ransomware

In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. After a deep analysis, we came to a conclusion: the Andariel group was behind these attacks.

Subscribe to our weekly e-mails

The hottest research right in your inbox