Analysis by Brooks Li, Feike Hacquebord, and Peter Pi
Trend Micro researchers have discovered that the attackers behind Pawn Storm are using a new Adobe Flash zero-day exploit in their latest campaign. Pawn Storm is a long-running cyber-espionage campaign known for its high-profile targets and usage of the first Java zero-day we’ve seen in the last couple of years.
We coordinated with Adobe in processing this finding. They have since released a security advisory and assigned it with the identifier CVE-2015-7645. Adobe has since released the bulletin APSB15-27 to address this vulnerability
In this most recent campaign, Pawn Storm targeted several foreign affairs ministries from around the globe. The targets received spear phishing e-mails that contained links leading to the exploit. The emails and URLs were crafted to appear like they lead to information about current events, with the email subjects containing the following topics:
“Suicide car bomb targets NATO troop convoy Kabul”
“Syrian troops make gains as Putin defends air strikes”
“Israel launches airstrikes on targets in Gaza”
“Russia warns of response to reported US nuke buildup in Turkey, Europe”
“US military reports 75 US-trained rebels return Syria”
It’s worth noting that the URLs hosting the new Flash zero-day exploit are similar to the URLs seen in attacks that targeted North Atlantic Treaty Organization (NATO) members and the White House in April this year.
Foreign affairs ministries have become a particular focus of interest for Pawn Storm recently. Aside from malware attacks, fake Outlook Web Access (OWA) servers were also set up for various ministries. These are used for simple, but extremely effective, credential phishing attacks. One Ministry of Foreign Affairs got its DNS settings for incoming mail compromised. This means that Pawn Storm has been intercepting incoming e-mail to this organization for an extended period of time in 2015.
Based on our analysis, the Flash zero-day affects at least Adobe Flash Player versions 126.96.36.199 and 188.8.131.52.
Figure 1. Affected Adobe versions
Defense against threats that involve zero-day exploits require proactive multi-layered solutions. Zero-day vulnerabilities in applications like Adobe Flash have proven to be difficult to manage since they are commonly targeted and at the same time very widely used. Trend Micro technologies protects users from zero-day exploits by offering protections for all the different layers within an infrastructure.
More specifically, the existing Sandbox with Script Analyzer engine, which is part of Trend Micro™ Deep Discovery, can be used to detect this threat by its behavior without any engine or pattern updates.
Trend Micro Deep Security and Vulnerability Protection, on the other hand, protect user systems from threats that may leverage this Adobe Flash zero-day with the DPI rule 1007119 – Identified Malicious Adobe Flash SWF File.
We have notified Adobe about our discovery and are working with them to address this security concern.
You may read about the technical details of this vulnerability in our blog entry, Latest Flash Exploit Used in Pawn Storm Circumvents Mitigation Techniques.
The SHA1 hashes of files related to this threat are:
- 2DF498F32D8BAD89D0D6D30275C19127763D5568 – detected as SWF_OLOLO.A
- 20F5A9C0E1D2AEF36D15CA149FE71AC6B2A9AF1E – detected as TROJ_SEDNIT.D
- A5FCA59A2FAE0A12512336CA1B78F857AFC06445 – detected as TSPY_SEDNIT.D
Updated on October 13, 2015 9:50 P.M. PDT (UTC-7) to add more details on past Pawn Storm campaigns and details on provided Trend Micro protection.
Updated on October 14, 2015 8:34 A.M. PDT (UTC-7) to include the CVE designation of the zero-day vulnerability.
Updated on October 14, 2015 5:45 P.M. PDT (UTC-7) to update the Trend Micro protections.
Updated on October 15, 2015 2:50 A.M. PDT (UTC-7) to add target patch date announced by Adobe.
Updated on October 15, 2015 8:50 P.M. PDT (UTC-7) to change patch date from week of October 19 to as early as October 16, as stated by Adobe.
Updated on October 16, 2015 9:50 A.M. PDT (UTC-7) to include links to the patch and to a related blog entry.
Updated on October 17, 2015 7:29 P.M. PDT (UTC-7) to add the SHA1 hashes related to this latest Flash exploit.