Adobe's Flash Player has been the cause of security concerns over the past few years with lots of attackers targeting the particular software. A few months ago, Kaspersky Lab discovered
a Flash vulnerability through Microsoft Word, and in February 2017, even Microsoft was forced to release a critical security update for Flash on Windows, separate from its Patch Tuesday schedule. Now, another zero-day vulnerability has been discovered in the software, which allows Remote Code Execution (RCE) on various platforms. According to Adobe, it is already being utilized against Windows users on a limited scale. The latest security issue has been discovered by South Korea's CERT
and has been reported in detail by Cisco Systems' Talos group
. According to the security researchers, the exploit is carried out by embedding a Flash SWF file in a Microsoft Excel document. In the limited number of attacks carried out using this vulnerability so far, opening this document allows the Flash object to download the ROKRAT payload from malicious websites, load it into the memory and execute it. ROKRAT is a Remote Administration Tool that is used in cloud platforms to procure documents. According to Talos, a group named "Group 123" is the perpetrator of ROKRAT, but this is the first time that it has utilized a zero-day vulnerability. The security researchers go on to say that:
Group 123 have now joined some of the criminal elite with this latest payload of ROKRAT. They have used an Adobe Flash 0 day which was outside of their previous capabilities - they did use exploits in previous campaigns but never a net new exploit as they have done now. This change represents a major shift in Group 123s maturity level, we can now confidentially assess Group 123 has a highly skilled, highly motivated and highly sophisticated group. Whilst Talos do not have any victim information related to this campaign we suspect the victim has been a very specific and high value target. Utilizing a brand new exploit, previously not seen in the wild, displays they were very determined to ensure their attack worked.