CVE-2018-15982 exploit attacks

In late November 2018, a targeted attack against a medical institution in Russia exploited CVE-2018-15982, a zero-day remote code execution vulnerability in Adobe Flash Player. Adobe released an emergency patch in security bulletin APSB18-42 on December 5, 2018.

Attackers and security researchers alike typically gain access to exploits by reverse-engineering vendor patches or through sharing of proof-of-concept samples. As exploits are added to exploit kits and penetration testing tools, the use of the said exploit may become widespread. However, in the case of CVE-2018-15982, only one additional attack using the exploit has been reported so far, and that incident simply reused existing proof-of-concept content with no revisions. The lack of widespread abuse can likely be credited in part to Adobe’s swift action as well as to the highly targeted nature of the attack itself.

Nevertheless, the zero-day attack highlights a number of mitigations that defenders should take advantage of to block similar attacks.

Update: Inclusion in exploit kits

While we observed limited activity during the time when this exploit was reported, we’ve expected a rise in code variants as well as related attack activity.

In the middle of January 2019, we started observing multiple campaigns exploiting CVE-2018-15982 and even found exploit code in exploit kits—packages typically sold in the dark web that combine different sets of exploit code, allowing attacks to automatically leverage multiple alternative exploitation mechanisms whenever one mechanism fails. CVE-2018-15982 exploit code is present in prevalent campaigns through the infamous Underminer, Fallout, or KaiXin exploit kits.

These campaigns have been observed delivering the GandCrab ransomware and the Zegost backdoor, although the exploit kits can be used to deliver other payloads. Microsoft Defender ATP provides updated protection against recent campaigns exploiting CVE-2018-15982, with enhanced heuristic coverage against future variants.

Targeted attacks

Initial attacks observed exploiting CVE-2018-15982 used spear-phishing emails with an attached RAR archive containing two files:

  • A lure document
  • A second RAR archive file disguised a .jpg file

When the user opens the lure document, an embedded Flash ActiveX control containing the exploit is rendered. A Flash ActionScript runs a small command script that in turn unpacks and runs the payload, the file backup.exe, from the second RAR archive.

The payload copies itself to %LOCALAPPDATA%\NvidiaControlPanel\NVIDIAControlPanel.exe and creates a scheduled task that starts the backdoor whenever a user logs in. It then collects local system information and uploads it to a hardcoded command-and-control (C&C) IP address every five minutes.

The backdoor is capable of receiving instructions in the form of shellcode that can be loaded directly into memory. It is also designed to delete itself under certain circumstances, such as whenever its file name is its hash value, which commonly occurs when security researchers and tools rename samples for analysis. CVE-2018-15982 exploit attacks
Prevalent attacks using exploit kits

More recent attack campaigns exploiting CVE-2018-15982 are delivered through sites serving malicious Adobe Flash advertisements. The ads host exploit kits, mostly Underminer, Fallout, and KaiXin, that contain exploit code for CVE-2018-15982, among other vulnerabilities.

Upon successful exploitation, a set of PowerShell commands excoded in base64 runs and downloads a malware payload. The payloads seen so far are the GandCrab ransomware and the Zegost malicious backdoor in separate campaigns.

CVE-2018-15982 exploit attacks

Mitigations

Apply these mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations.

  • To address the exploit used by this threat, mitigate the following vulnerability:  CVE-2018-15982.
  • Use hardware-based isolation, provided through Windows Defender System Guard, and exploit protection capabilities in Windows 10. These capabilities provide strategic mitigation of exploitation techniques.
  • Turn on cloud-delivered protection and automatic sample submission on Windows Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new variants and polymorphic copies of this threat. 
  • Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use Office 365 ATP for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Office 365 to recheck links on click and delete sent mail in response to newly acquired threat intelligence. 
  • Turn on attack surface reduction rules, including rules that can block advanced macro activity, executable content, process creation, and process injection initiated by Office applications.
  • Check your perimeter firewall and proxy to restrict servers from making arbitrary connections to the internet to browse or download files. Such restrictions help inhibit malware downloads and command-and-control (C&C) activity.

Detection details

Antivirus

Windows Defender Antivirus detects threat components as the following malware:

Endpoint detection and response (EDR)

Alerts with the following titles in the Microsoft Defender Security Center portal can indicate threat activity on your network:

  • A malicious file was detected based on indication provided by O365
  • Malicious document (CVE-2018-15982) Detected
  • CrisisHT backdoor detected
  • Malicious SWF Files (CVE-2018-15982) Detected
Attack surface reduction rules

These rules can block or audit activity associated with this threat:

  • Block all Office applications from creating child processes
  • Block Office applications from creating executable content
Advanced hunting

To locate possible attack activity involving the extraction of the malicious RAR archive, run the following query:

ProcessCreationEvents
| where FileName == "cmd.exe" 
| where ProcessCommandLine contains @"set path=%ProgramFiles(x86)%\WinRAR;C:\Program Files\WinRAR;"
| where ProcessCommandLine contains @"cd /d %~dp0 & rar.exe e -o+ -r -inul*.rar"

Indicators

Targeted attacks
Files (SHA-1)
RAR archive
  • 8a11a2d727695a9fdfc8b19a84d3e60066ebb84f

Lure documents

  • 1865ae413f6f5c9cfa5182cd011aa28948ed4974
  • 2d22bf18ab1a8db0309c477472b481b0641b9dc7

Secondary RAR archive

  • 6a8ee6254f84fc18360b6c49720d4312b46f390f

Backdoors

  • 3372402dda40ce9ca33e945d9555c8701bf33fdf
  • 76a3e546ada90fb71192d48edbe0d9092c2a94bb
  • f6a7009def994cf5bb85c1b95c970ccb922603c3
C&C server
  • 188.241.58.68
Exploit kit campaigns
SWF files (SHA-1)
  • 0c200e2e7bbd6e8ab93711732c3aa6d21163da0e

  • 271ebec2c20794d9d6f0c5d1c01c4ccc5007c06f

  • 33fdf34706d8e7a339a0feb31a68aa9b8e81938e

  • 65fb56dd089667c0354e30c4902a83a3eae234dc

  • C37ba2584de73ce1b52eb3eec21939c62a8c602a

  • E55c33e6b5aab222b924273e36a892a528cbb260

  • Fc40d4357ce5bacc168ae5cd92c69e54dd42384a

  • fe8aad08d17d9dd7330474dacfb0bef993d2d068

References