Flash Exploit CVE-2018-4878 Detected in Malicious Email Campaign

Morphisec Labs detected several malicious Microsoft Word documents exploiting the Flash vulnerability CVE-2018-4878 in a malicious email campaign that bypassed many existing scanning solutions. The documents were downloaded from the safe-storage[.]biz domain and went almost entirely undetected with a 1/67 detection ratio. Victims received short links to the malicious website generated by the Google URL Shortener, giving security researchers the ability to see the analytics for the shortened links. After downloading and opening the Word document, the attack exploits the Flash vulnerability and opens a command prompt that is injected with a malicious shellcode designed to establish a connection with the malicious domain. The shellcode then downloads a “m.db” dll from the same domain which is executed using the regsvr32 process to bypass whitelisting solutions. The NJCCIC recommends applying the patch released by Adobe in early February and reviewing Mosphisec’s blog for additional information and IoCs.