FireEye has discovered an attack method based on embedding the Flash exploit inside a Microsoft Office document.
The attacker hosts the MSOffice documento on their web server, and uses a Dynamic DNS (DDNS) domain to reference the document and payload.
With this configuration, the attackers could disseminate their exploit via URL or email attachment.
Although this vulnerability resides within Adobe Flash Player, threat actors designed this particular attack for a target running Windows and Microsoft Office.
The attack summary, from FireEye website:
Upon opening the document, the exploit downloads and executes a payload from the attacker’s server. To avoid suspicion, the attacker then shows the victim a decoy document.
The full exploit chain proceeds as follows:
- The victim opens the malicious Office document.
a. The Office document renders an embedded Flash file.
i. If the Flash Player version is older than 18.104.22.168, the attack aborts.
ii. Otherwise, the attack runs the encoded Flash exploit.
- The exploit runs embedded native shellcode.
a. The shellcode downloads and executes a second shellcode from the attacker’s server.
- The second shellcode:
a. Downloads and executes malware.
b. Downloads and displays a decoy document.
- The malware connects to a second server for command and control (C2) and waits for further instructions.