(Advanced Persistent Threat)…

Adobe Systems warned users in JUne that an unpatched Flash Player vulnerability is currently being exploited in targeted attacks.

The exploit was discovered by researchers from antivirus vendor Kaspersky Lab in attacks attributed to cyberespionage groups known in the security industry as ScarCruft but probably the hacker group calling themselves wekby APT (Advanced Persistent Threat).

ScarCruft launched Operation Daybreak in March this year infecting high profile targets through spear-phishing e-mails.

The website hosting the exploit kit performs a couple of browser checks before redirecting the visitor to a server controlled by the attackers hosted in Poland.

The hacking group is also behind a separate cyber-crime campaign dubbed Operation Erebus that abuses a critical vulnerability in Flash Player, patched in May, through the use of watering hole attacks.
Adobe has now issued a new security update which resolves a vast number of critical security flaws found within Adobe Flash, many of which lead to remote code execution…

In July The tech giant issued a security advisory which revealed a total of 52 vulnerabilities in Adobe Flash which “could potentially allow an attacker to take control of the affected system,” according to Adobe.

The update includes Flash security fixes across the Microsoft Windows, Apple Mac, Linux, and ChromeOS operating systems, as well as the Google Chrome, Microsoft Edge, and Internet Explorer 11 browsers.

Wekby APT (Advanced Persistent Threat) group involved in many targeted attacks against healthcare businesses like Community Health Systems and major pharmaceutical companies, is apparently making use of the Adobe Flash Player zero-day which was found recently in the Hacking Team data dump.

Spear phishing email messages claiming to be from Adobe have been found spreading a modified version of the Hacking Team exploit affecting Flash Player versions up to 18.0.0.194.

The spear phishing message urges the victim to download and install an updated version of Flash and contains a link to http://get(.)adobe(.)com which redirects the recipient to a site hosted by PEG TECH Inc.

The site loads a malicious .swf file exploiting the Flash vulnerability which was mended by Adobe.

The malware executes and connects to a known address of Wekby command and control which was hosted in Singapore.

Any relation involving this IP address or these hostnames should be considered hostile and a possible indication to compromise.

The above IP address has functioned as a C2 server for a wide range of different malware in the past (Gh0st, Poison Ivy, Remote RSS, etc.).
However, this malware, which is going around, is an improved version of the Gh0st remote access Trojan (RAT).

The zero days leveraged in Hacking Team attack is one of many Flash vulnerabilities exposed in recent times.

In June, FireEye’s security researchers discovered a separate Flash flaw which is being employed by the “Clandestine Wolf” group of cybercriminals to attack business houses in the aerospace, construction, defence, technology and telecom industries..

The attackers are having a field day with this exploit and will not slow down any time quickly. Patching is the most sensible course of action to deal with this exploit which is very much in the wild.

Warning , do not click the links below !!!

The pisloader malware family was delivered via HTTP from the following URL. At the time of writing, this URL was still active.

http://globalprint-us%5B.%5Dcom/proxy_plugin.exe

Other samples hosted on this domain include the following:

http://globalprint-us%5B.%5Dcom/proxy_web_plugin.exe

MD5: E4968C8060EA017B5E5756C16B80B012
SHA256: 8FFBB7A80EFA9EE79E996ABDE7A95CF8DC6F9A41F9026672A8DBD95539FEA82A
Size: 126976 Bytes
Compile Time: 2016-04-28 00:38:46 UTC

This discovered file was found to be an instance of the common Poison Ivy malware family with the following configuration data:

Command and Control Address: intranetwabcam[.]com
Command and Control Port: 80
Password: admin
Mutex: )!VoqA.I5

The domains witnessed in this attack were all registered very shortly prior to being used.

The Wekby group continues to target various high profile organizations using sophisticated malware. The pisloader malware family uses various novel techniques, such as using DNS as a C2 protocol, as well as making use of return-oriented programming and other anti-analysis tactics.

submitted by M0rning3tar for diggaman.net

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s