On January 31, an Adobe Flash zero-day vulnerability was identified by the South Korea’s KISA (KrCERT/CC). North Korean threat actors were targeting South Korean entities. It was exploited in the wild since as early as November 14, 2017. Today, seven days after the publication of the Flash zero-day, Adobe published APSB18-03 that resolves this issue.

Flash Zero-Day

The vulnerability, CVE-2018-4878, is a critical remote code execution (RCE) vulnerability in all published versions of Adobe Flash (version and earlier) running on all operating systems. It also affects Adobe Flash embedded in Microsoft Internet Explorer and Microsoft Edge. Adobe has released a patch to resolve this the Flash zero-day, bundled with another critical RCE vulnerability — CVE-2018-4877.

Distribution Method

The exploit is distributed via social engineering, enticing a user to open a malicious email or a document with an embedded SWF file, or that contains an Excel spreadsheet. This would lead the user to download malware from compromised websites.

North Korean Threat Actors

FireEye iSIGHT Intelligence and Cisco assess that a North Korean hacker group tracked by them — dubbed TEMP.Reaper and Group 123 — is behind the exploitation of this vulnerability. The group appears to be using TTPs that were previously used by the North Korean threat actor at the nation-state level.

Targets and the DOGCALL Malware

So far, the main victims have been South Korean targets who have been affected by malware hosted on third–party South Korean sites, most likely a malware named DOGCALL (aka ROKRAT). DOGCALL is a remote access Trojan that opens a back door on the compromised computer. It may also download potentially malicious files and steal information, meaning the threat actor can do pretty much everything on the compromised computer.

As this vulnerability is still unpatched on most machines, other threat actors may adopt this exploit very quickly for other targets as well.

What Users Should Do

Install the Adobe patch APSB18-03 and continue to track the vulnerability details, as more information and mitigation options becomes available.