Flash 0 Day In The Wild: Group 123 At The Controls
2018-02-02 • Cisco Talos •
http://blog.talosintelligence.com/2018/02/group-123-goes-wild.html
Talos attributed in-the-wild exploitation of Adobe Flash CVE-2018-4878 to Group 123, using a malicious Microsoft Excel document with an embedded Flash ActiveX object. Opening the spreadsheet triggered a use-after-free exploit that downloaded shellcode from compromised South Korean websites and executed a ROKRAT variant in memory. The payload infrastructure included URLs on 1588-2040.co.kr, korea-tax.info, and dylboiler.co.kr, and one sample carried the PDB path d:\HighSchool\version 13\2ndBD\T+M\T+M\Result\DocPrint.pdb. ROKRAT’s use of cloud platforms for document exfiltration and remote system management made the campaign significant for organizations monitoring Korean-themed phishing and exploit delivery.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | e1546323dc746ed2f7a5c973dcecc79… | 2018-02-02 | 2018-02-27 |
| HASH | 3b1395f620e428c5f68c6497a2338da… | 2018-02-02 | 2018-02-02 |
| HASH | fec71b8479f3a416fa58580ae76a8c7… | 2018-02-02 | 2018-02-02 |
| URL | http://www.1588-2040.co.kr/conf… | 2018-02-02 | 2018-02-02 |
| URL | http://www.dylboiler.co.kr/admi… | 2018-02-02 | 2018-02-02 |
| URL | http://www.korea-tax.info/main/… | 2018-02-02 | 2018-02-02 |
| URL | http://www.1588-2040.co.kr/desi… | 2018-02-02 | 2018-02-02 |
