Critical System Protection

 View Only

Adobe Flash CVE-2017-11292 - BlackOasis Zero Day Attack 

Oct 25, 2017 12:39 PM

Adobe Flash CVE-2017-11292

On October 10, 2017 a new Adobe Flash zero day exploit was seen in the wild and Adobe released a patch and details around CVE-2017-11292. The exploit was delivered through a Microsoft Office document and the final payload was the latest version of FinSpy malware.

Am I protected from the BlackOasis Zero Day Attack?

Symantec Data Center Security: Server Advanced IPS provides protection against the BlackOasis Attack.  All three levels of Symantec DCS:SA policies Windows 6.0  Basic, Hardening and Whitelisting as well as all 5.2.9 policies (Limited Execution, Strict, and Core) prevent BlackOasis Attack.

What protections does Symantec provide for our customers?

Here is a summary of the actions taken by the malware:

  1. Exploit comes in as a Word document with embedded flash content

  2. Memory corruption in a java class from adobe (com.adobe.tvsdk.mediacore.BufferControlParameter)

  3. Exploit gains code execution in Word

  4. Second stage payload is downloaded 5uzosoff0u.iaf

  5. Second stage downloads a third stage payload of FinSpy

    1. Downloads mo.exe

    2. (MD5: 4a49135d2ecc07085a8b7c5925a36c0a)

  6. Third stage payload writes the following files to disk

    1. C:\ProgramData\ManagerApp\AdapterTroubleshooter.exe

    2. C:\ProgramData\ManagerApp\15b937.cab

    3. C:\ProgramData\ManagerApp\install.cab

    4. C:\ProgramData\ManagerApp\msvcr90.dll

    5. C:\ProgramData\ManagerApp\d3d9.dll

  7. AdapterTroubleshooter is a legit Microsoft binary, but is tricked into loading the malicious d3d9.dll using the DLL search order hijack

  8. AdapterTroubleshooter.exe is run, which loads the malicious DLL

  9. Malicious DLL injects code (inject FinSpy) into Winlogon

  10. Now Winlogon calls steals data on system and sends it out to attacker owned C2 servers

 

The above steps are blocked by DCS policy controls: 

  • Modifications to Excecutables blocks Step#5 using Out of the Box Policies:

    • Basic, Hardened, Office, IExplore, and every other sandbox that uses flash has this enabled out of the box

  • The Global No Run List is able to block Step #6 above can be used to building targeted prevention policy to stop the attack:

    • Adding the FinSpy hash to the global_svc_child_norun_list will prevent FinSpy from running

 

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Related Entries and Links

No Related Resource entered.