In November, two foreign security firms identified a new malware exploiting an Adobe Flash Player zero-day (CVE-2018-15982) embedded within a Word document. Both organizations attributed the offensive operation to a malware attack against a Russian clinic conducted by the Ukrainian government.

Our telemetry permits us to extend the scope of offensive operations to Russian and Eastern European financial institutions. The hypothesis that the attack source is a state actor rather than an APT group developing proprietary tools is reinforced by the incongruence between malware sophistication levels and evident operational security failures during the offensive campaign.

In the recent history of conventional and non-conventional warfare between Russia and Ukraine, the cyber dimension of operations conducted by both sides warrants consideration. Recent cyber intrusions demonstrate the current state of Hybrid Cyber Warfare between the parties.

Although operations appear virtually confined to systems within both nations, our intelligence indicates the presence of an Italian financial institution among attack targets.

National attribution of targeted institutions

This significant finding underscores the necessity for all organizations—whether strategically critical to national infrastructure or not—to upgrade defensive capabilities against this class of attacks and adversarial intrusions.

The importance of countering targeted, persistent, and sophisticated attacks is evident.

Why Hybrid Cyber Warfare?

Hybrid Cyber Warfare denotes a military strategy combining irregular, conventional, and cyber warfare. NATO has addressed Hybrid Warfare, defining it as warfare that “simultaneously employ conventional and non-conventional means adaptively in pursuit of one’s objectives“.

Hybrid Warfare references:

• European Parliament – LINK PDF
• NATO – LINK

Malware Capabilities

Our telemetry does not permit identification of systems actually compromised; however, the attack demonstrates considerable complexity and technical sophistication. The malware accesses system information and is capable of executing lateral movement within compromised infrastructure. Exploitation of the Adobe Flash Player vulnerability enables code execution without user interaction. Opening the malicious document is sufficient for system compromise. Through Cyber Threat Intelligence collection, we have tracked the full attack chain and associated infrastructure.

Execution and Attack Flow

The attack structure mirrors the operation against the Russian clinic. The attacker sends an email with an attached Word document and image compressed within a .rar archive.

The Word document contains an .swf file (Adobe Flash) embedding the exploit (CVE-2018-15982). The vulnerability permits the attacker to execute system commands without further user interaction. In this case, the malware “NVIDIAControlPanel.exe” is extracted from the .jpg file and copied to “%APPDATA%\NVIDIAControlPanel\NVIDIAControlPanel.exe” (NVIDIA Control Panel Application).

Persistence on the compromised system is achieved through Windows Task Scheduler task creation.

Network Connections

Following initial system compromise, persistence establishment, and information gathering (fingerprinting) activities, the malware initiates command-and-control communication via HTTP protocol to IP address “188.241.58.68“.

This infrastructure is hosted within a Romanian datacenter:

Threat Hunting & Incident Response

Comprehensive threat analysis, attack vector details, malware samples, and complete indicators of compromise are available through detailed technical reporting. The full dataset includes primary threat intelligence and compromise indicators for the current quarter.

N.B. – Corporate email addresses required:

[lead-form form-id=3 title=Technical report]

 

References

References to malware detections:

https://atr-blog.gigamon.com/2018/12/05/adobe-flash-zero-day-exploited-in-the-wild/

http://blogs.360.cn/post/PoisonNeedles_CVE-2018-15982_EN