A newly discovered Adobe Flash zero-day exploit has been uncovered delivering the FinSpy commercial malware.
Kaspersky Lab spotted it being used in the wild on Oct. 10, by a group of attackers known as BlackOasis. An exploit delivers its payload through a Microsoft Word document.
“The attack using the recently discovered zero-day exploit is the third time this year we have seen FinSpy distribution through exploits to zero-day vulnerabilities,” said Anton Ivanov, lead malware analyst at Kaspersky Lab. “Previously, actors deploying this malware abused critical issues in Microsoft Word and Adobe products. We believe the number of attacks relying on FinSpy software, supported by zero day exploits such as the one described here, will continue to grow.”
Analysis reveals that, upon successful exploitation of the vulnerability, the FinSpy malware (also known as FinFisher) is installed on the target computer, equipped with multiple anti-analysis techniques to make forensic analysis more difficult. After installation, the malware establishes a foothold on the attacked computer and connects to its command and control servers located in Switzerland, Bulgaria and the Netherlands, to await further instructions and exfiltrate data.
FinSpy is typically sold to nation states and law enforcement agencies to conduct surveillance. In the past, use of the malware was mostly domestic, with law enforcement agencies deploying it for surveillance on local targets.
BlackOasis is a significant exception to this, and uses it against a wide range of targets across the world. This appears to suggest that FinSpy is now fueling global intelligence operations, Kaspersky Lab said, with one country using it against another.
Based on Kaspersky Lab’s assessment, the interests of BlackOasis span a whole gamut of figures involved in Middle Eastern politics, including prominent figures in the United Nations, opposition bloggers and activists, as well as regional news correspondents. They also appear to have an interest in verticals of particular relevance to the region. During 2016, the company’s researchers observed a heavy interest in Angola, exemplified by lure documents indicating targets with suspected ties to oil, money laundering and other activities. There is also an interest in international activists and think tanks.
So far, victims of BlackOasis have been observed in Russia, Iraq, Afghanistan, Nigeria, Libya, Jordan, Tunisia, Saudi Arabia, Iran, the Netherlands, Bahrain, United Kingdom and Angola.
The researchers believe that the group behind the attack was also responsible for CVE-2017-8759, another zero day, reported in September.
Kaspersky Lab reported the vulnerability to Adobe, CVE-2017-11292, which has issued an advisory with a patch.