A new APT group has been uncovered, operating primarily against high-profile victims in Russia and Asia.
According to Kaspersky Lab, the ScarCruft APT gang is carrying out Operation Daybreak using a Flash zero-day, which Kaspersky privately disclosed to Adobe in March. It allows for full code execution, and Kaspersky said that there have been more than two dozen Operation Daybreak victims to date.
Attacks start with spear-phishing emails that include a link to a website hosting an exploit kit associated with ScarCruft that eventually redirects victims’ browsers to a server in Poland. Those falling victim include an Asian law enforcement agency, a large Asian trading company, an American mobile advertising company and individuals affiliated with the International Association of Athletics Federations (IAAF).
“The ScarCruft APT group is a relatively new player and managed to stay under the radar for some time,” Kaspersky researchers wrote in a brief. “In general, their work is very professional and focused. Their tools and techniques are well above the average.”
The group has a number of operations underway, Kaspersky said, and is using an arsenal of two Flash exploits and another against Microsoft’s Internet Explorer. One group of attacks called Operation Erebus leverages another Flash exploit, CVE-2016-4117, and relies on watering hole attacks.
For its part, Adobe has patched both vulnerabilities and has made it harder to develop exploits in general for Flash.
“Nowadays, in-the-wild Flash Player exploits are becoming rare,” the researchers wrote. “This is because in most cases they need to be coupled with a Sandbox bypass exploit, which makes them rather tricky. Additionally, Adobe has been doing a great job at implementing new mitigations to make exploitation of Flash Player more and more difficult.”
Photo © LeoWolfert