For past few days, a Hacker Group known as Group123, has been targeting Windows users with a Zero-Day exploit which affected Adobe Flash Player. In this attack, the malicious Flash Content is embedded inside Microwost Word Documents and is delivered through emails. The exploit was used to deliver ROKRAT, a Trojan with capabilities to steal information and achieved persistence. Furthermore, the attackers were able to gain complete control of the victim’s system.
Vulnerability details
| Vulnerability Category | Vulnerability Impact | Severity | CVE Number |
| Use After Free | Remote Code Execution | Critical | CVE-2018-4878 |
| Use After Free | Remote Code Execution | Critical | CVE-2018-4877 |
Affected Product Versions
| Product | Version | Platform |
| Adobe Flash Player Desktop Runtime | 28.0.0.137 and earlier versions | Windows, Macintosh |
| Adobe Flash Player for Google Chrome | 28.0.0.137 and earlier versions | Windows, Macintosh, Linux and Chrome OS |
| Adobe Flash Player for Microsoft Edge and Internet Explorer 11 | 28.0.0.137 and earlier versions | Windows 10 and 8.1 |
| Adobe Flash Player Desktop Runtime | 28.0.0.137 and earlier versions | Linux |
Patch Downloads
| Product | Version | Platform | Priority | Availability |
| Adobe Flash Player Desktop Runtime | 28.0.0.161 | Windows, Macintosh | 1 | Flash Player Download Center |
| Adobe Flash Player for Google Chrome | 28.0.0.161 | Windows, Macintosh, Linux and Chrome OS | 1 | Google Chrome Releases |
| Adobe Flash Player for Microsoft Edge and Internet Explorer 11 | 28.0.0.161 | Windows 10 and 8.1 | 1 | Microsoft Security Advisory |
| Adobe Flash Player Desktop Runtime | 28.0.0.161 | Linux | 3 | Flash Player Download Center |
IOCs and Detection
Flash exploits:
fec71b8479f3a416fa58580ae76a8c731c2294c24663c601a1267e0e5c2678a0 : Script.SWF.C609
3b1395f620e428c5f68c6497a2338da0c4f749feb64e8f12e4c5b1288cc57a1c : Exploit.Agent.MS
ROKRAT sample:
e1546323dc746ed2f7a5c973dcecc79b014b68bdd8a6230239283b4f775f4bbd : Gen:Variant.Johnnie.87661
