Latest Flash zero-day Abuses Windows DDE Protocol

Flash zero-day vulnerability is exploited by a new group of hackers for launching attacks on many high-profile victims.

Kaspersky dubbed this criminal gang as ScarCruft, and it is comparatively a new APT group. The victims are found in Nepal, Russia, China, South Korea, Kuwait, Romania and India. Many operations of the group are going on using manifold exploits - 2 for the Adobe Flash and also 1 for the Microsoft Internet Explorer.

Kaspersky says that the group has also employed 2 other exploits of Adobe (CVE-2016-0147 and CVE-2016-4117) and an exploit of Internet Explorer during zero-day, which was part of most recent Operation Daybreak campaign.

In relation to Operation Erebus, the Kaspersky says that only CVE-2016-4117 was used by the association, served through attacks of watering hole.

Anton Ivanov and Costin Raiu posted a blog saying, it seems some unknown attackers have launched Operation Daybreak for infecting the targets that are high profiled by spear-phishing e-mails. They further said in the blog post that "to date, we have observed more than two dozen victims for these attacks".

In the Operation Daybreak case, some browser checks are performed by the hacked website that is hosting exploit kit, before the visitor is re-directed to the server that is under control of attackers hosted in the country of Poland.

Scmagazineuk.vice.com posted on June 20th, 2016, stating that this hacking group is also behind a separate cyber-crime campaign known as Operation Erebus, which abuses a critical vulnerability in Flash Player repaired in May with the use of watering hole attacks.

Adobe has announced a security advisory stating that it will address the new vulnerability in its monthly security notifications.

Windows DDE is Dynamic Data Exchange and is a protocol detailing techniques for moving data between the applications. Kaspersky Labs observes that in this particular case, hackers used a DDE trick which has never been seen before.

Kaspersky also observed that StarCruft uses the zero-day flash for spying on targets like law enforcement agency of a country of Asian, a restaurant situated in Dubai's largest mall, one of the biggest Asian trading company's employees, and a company of mobile advertising in the US.

Moreover, StarCruft APT further targeted members of International Association of Athletics Federations.

» SPAMfighter News - 6/27/2016