Flash Bugs Exploited in Latest Mass Compromise
Another mass compromise through (yet again) another SQL injection attack. The yet again’s and another’s keep coming, right? This time, unlike its predecessors that use relatively old and known (and patched) exploits, the attack introduces a new kid on the block: in the form of what looks like a zero-day exploit taking advantage of an unknown vulnerability in Adobe Flash Player, allowing malicious users to install info-stealers on affected PCs.
Well, this one already has a lot of history in it. Mass compromises are the month of May’s major stories. TrendLabs discovered them happening to Web sites everywhere from a huge portion of the Asian region (see here and here) to those in the Italian language. We have seen these mass compromises happening just mere days between each other (beside the links above, more information can be read in our blog).
Certain legitimate sites were found to have been injected with scripts that lead browsers silently to sites hosting exploits for the Flash vulnerability/ies. Upon meeting certain system conditions that allow the exploitation to commence, PCs download and execute info-stealers (like TSPY_UPACK.D) or droppers (like TROJ_DROPPER.NAK).
TrendLabs detects the .SWF files as SWF_DLOADER.YVM and SWF_DLOADER.YVN. Remarkably, the related domains in this attack spoof the domain name of legitimate and known phone company Nokia, as well as that of the popular online game Defense of the Ancients (DotA). Other domains are lkjrc and woai117 (both belonging to-surprise, surprise-.cn).
TrendLabs has already blocked the malicious domains involved in this attack, and also detected the following malware which are installed in systems:
- HTML_DLDR.BF
- TSPY_UPACK.D
- TROJ_DROPPER.NAK
- HTML_DLDR.BF
- TSPY_UPACK.D
- TROJ_DROPPER.NAK
This unspecified remote code execution vulnerability in certain versions of Adobe Flash Player is the one referred to here.