An exploit in the beleaguered Adobe Flash software is delivering the FINSPY (aka FinFisher) remote access Trojan (RAT).

The exploit, which has been observed in the wild, targets a Flash memory corruption vulnerability (CVE-2017-11292) that could allow remote code execution. It also includes code presumably to avoid antivirus detection.

The FINSPY payload is legitimate — if controversial — spyware used for legal surveillance within a nation state by law enforcement agencies. However, the recent attack shows FINSPY is being used across national borders and appears to be targeting UN member countries.

According to Kaspersky who discovered the zero–day exploit, a threat actor dubbed “BlackOasis” is carrying out targeted attacks with this exploit and has a track record with Flash/FINSPY attacks going back to June 2015.

With Adobe set to kill off Flash by 2020 and web browsers adding extra measures to protect against it, BlackOasis turned to Word documents embedded with a Flash file that launches the attack when the document is opened.

Adobe has released a patch, and it is recommended that all consumers — even those who don’t believe they are running Flash on their computer — install the patch immediately.

 

Related Posts

Microsoft Fixes .NET Zero–Day Exploited to Install Spyware: The .Net flaw is one of more than 80 vulnerabilities Microsoft fixed during September’s Patch Tuesday, and is being used to distribute FINSPY spyware.

 

Resources

Get more info on the Adobe Flash vulnerability at Skybox Vulnerability Center. Create and account to track the vendors, products and vulnerabilities that matter most to your organization.

Protect your network in the era of global cyberattacks. Learn how Skybox threat–centric vulnerability management can help.