Yesterday, Adobe released a patch for Adobe Flash that fixed a zeroday vulnerability that was being exploited in the wild. According to Adobe, CVE-2013-0633 is being exploited using Microsoft Office files with embedded flash content delivered via email. They are also aware of CVE-2013-0634 being exploited trough web browsers such as Firefox and Safari on MacOSX. FireEye released some information a few hours ago.
We found several Microsoft Office files containing the exploit that seems to be part of a spearphishing campaign targeting several industries including the aerospace one.
One of the files was using the 2013 IEEE Aerospace Conference schedule as a lure to trick the user into opening the file. Here is the content displayed to the user.
Another sample is related with an online payroll system used by several companies in the US.
As we previously said, the .doc files contain an embedded flash file with no compression or obfuscation. The flash file has an embedded executable file that is the actual payload delivered to the victim. It is worth mentioning that the executable file isn’t obfuscated at all that means most of the security products should be able to detect this threat using generic signatures.
The flash files contain several ActionScript classes that checks for specific Flash and operating system versions and specific code to trigger the exploit.
The code contains several references to “Lady Boyle” who is a character in the computer game Dishonored.
One of the payloads used is an executable signed with a fake certificate from a South Korean company called MGAME. We have seen this certificate dozens of times in the past as part of targeted attacks including NGO’s to sign several RAT files including PlugX.
The sample connects to ieee[.]boeing-job[.]com (C&C):
We will keep you up to date as we discover new information related with this attack.