The vulnerability, tracked as CVE-2018-5002 was reported by various security firms ICEBRG, Qihoo 360 and Tencent earlier this week. The arbitrary code execution vulnerability resides with the version of Adobe Flash Player 18.104.22.168 and it can be fixed with Adobe Flash Player 22.214.171.124.
Attackers exploit the vulnerability with a crafted Microsoft Office document “salary.xlsx” to download and execute the flash exploit to victim computers. The attack primarily targets the users and organizations in the middle east.
Attackers use to embed the flash file remotely to the Office documents through the ActiveX control and the exploit code is delivered by the remote server.
The attack starts by downloading and executing a remote Shockwave Flash (SWF) file and to evade detection in the SWF includes an RSA+AES cryptosystem.
In the second stage of attack is to download and execute the shell file through the cryptosystem to gain control over the machine and to download additional tools.
Data transfer between the client and server protected by a customized cryptosystem “leveraging a symmetric cipher (AES), that protects the data payload and an asymmetric cipher (RSA) to protect the symmetric key.”
The domain for C&C servers registered by attackers mimicking a job search site in the Middle East [people[.]doha****.com] and the domain was registered on 2018-02-18.
Adobe fixed the Vulnerability CVE-2018-5002 along with other vulnerabilities CVE-2018-4945 (Arbitrary Code Execution), CVE-2018-5000 (Information Disclosure), CVE-2018-5001 (Information Disclosure), CVE-2018-5002 (Arbitrary Code Execution).
If you are flash users it is highly recommended to update with Adobe Flash Player 126.96.36.199 which includes a fix for all the vulnerabilities.