On October 10, 2017 a new Adobe Flash zero day exploit was seen in the wild and Adobe released a patch and details around CVE-2017-11292. The exploit was delivered through a Microsoft Office document and the final payload was the latest version of FinSpy malware.
Symantec Data Center Security: Server Advanced IPS provides protection against the BlackOasis Attack. All three levels of Symantec DCS:SA policies Windows 6.0 Basic, Hardening and Whitelisting as well as all 5.2.9 policies (Limited Execution, Strict, and Core) prevent BlackOasis Attack.
Here is a summary of the actions taken by the malware:
Exploit comes in as a Word document with embedded flash content
Memory corruption in a java class from adobe (com.adobe.tvsdk.mediacore.BufferControlParameter)
Exploit gains code execution in Word
Second stage payload is downloaded 5uzosoff0u.iaf
Second stage downloads a third stage payload of FinSpy
Downloads mo.exe
(MD5: 4a49135d2ecc07085a8b7c5925a36c0a)
Third stage payload writes the following files to disk
C:\ProgramData\ManagerApp\AdapterTroubleshooter.exe
C:\ProgramData\ManagerApp\15b937.cab
C:\ProgramData\ManagerApp\install.cab
C:\ProgramData\ManagerApp\msvcr90.dll
C:\ProgramData\ManagerApp\d3d9.dll
AdapterTroubleshooter is a legit Microsoft binary, but is tricked into loading the malicious d3d9.dll using the DLL search order hijack
AdapterTroubleshooter.exe is run, which loads the malicious DLL
Malicious DLL injects code (inject FinSpy) into Winlogon
Now Winlogon calls steals data on system and sends it out to attacker owned C2 servers
The above steps are blocked by DCS policy controls:
Modifications to Excecutables blocks Step#5 using Out of the Box Policies:
Basic, Hardened, Office, IExplore, and every other sandbox that uses flash has this enabled out of the box
The Global No Run List is able to block Step #6 above can be used to building targeted prevention policy to stop the attack:
Adding the FinSpy hash to the global_svc_child_norun_list will prevent FinSpy from running