Security vendor Kaspersky has published details of an advanced persistent threat (APT) that exploits a zero-day vulnerability in Adobe Flash to download the FinFisher surveillance kit.
The threat starts with phishing email that delivers an infected RTF or other Office file. Opeing this triggers an exploit that utilises the Flash zero-day to download FinFisher, which is then used to exfiltrate data and monitor activity on the infected Windows machine.
Anglo-German firm Gamma International sells FinFisher and other surveillance software and exploits to nefarious regimes including Angola, Saudi Arabia and Venezuela. The company was itself hacked in 2014, and many of its secrets were uploaded to the internet. However, says Kaspersky, the perpetrator of the latest APT seems to be a group known as "BlackOasis", one of Gamma's "legitimate" customers. It uses the latest version of FinFisher.
Kaspersky says it has been tracking the activities of BlackOasis since May 2016 and that it has deployed similar methods a number of times since then. The same command and control servers were used in the attacks and their modus operandi are similar.
The group's targets include senior figures in the UN, think tank members, opposition bloggers and activists and journalists, mostly in the Middle East but also in the UK, Russia, Afghanistan, Nigeria, Libya, Netherlands and Angola. Oil seems to be a common factor linking many of the targets.
The attack begins with the delivery of an Office document, presumably in this instance via e-mail," says Kaspersky. "Embedded within the document is an ActiveX object which contains the Flash exploit."
The Flash object contains an ActionScript which is responsible for extracting the malware which then attacks a memory corruption vulnerability.
If this exploit is successful, "it will gain arbitrary read / write operations within memory, thus allowing it to execute a second stage shellcode," Kaspersky continues, adding that the first stage shellcode is designed "to avoid detection by antivirus products looking for large NOP blocks inside Flash files".
This second stage payload is the FinFisher software which is injected into the Windows login process. Once active it communicates with three command and control servers which are used to exfiltrate information from the infected machine and to monitor activity on it.
Kaspersky says it is aware of one incident in which the APT has been used, in this case to attack one of its customers. It advises organisations and individuals to disable Flash where possible and to deploy a "multi-layered approach including access policies, anti-virus, network monitoring and whitelisting" to protect against similar attacks.
Kaspersky itself was the subject of a hacking story when it was apparently compromised by Israeli intelligence, who claimed to have found NSA malware on the firm's network. In the US many customers have cut ties with the company over alleged links to the Kremlin.
Kicking Palantir off of AWS is among their demands, too
Rafaela Vasquez was watching The Voice at the time of the crash, new evidence shows
PUBG price slashed on Steam after selling more than 50 million copies - as daily player numbers plunge
Use the same password for every website? It might be time to change them all