A newly discovered Adobe Flash zero-day exploit is using Microsoft Office files to spread a stack-based buffer overflow attack, but with a twist: The malicious file doesn’t contain any actual malware.

Discovered by 360 Core Security and security firm ICEBRG, this new Flash zero day was specifically found to be targeting users in the Middle East, with a potential focus on Qatar.

Malicious Office files aren’t a new way to spread malware, but this particular attack has a trick up its sleeve: It remotely downloads the Shockwave Flash (SWF) file containing its payload once opened. That means the file itself doesn’t contain any malware, making it easier to fly under the radar.

Adobe has released a patch to address the zero-day exploit, and those still using Flash are advised to update now.

It’s important to understand that there are two pieces of malware news present in this story: A new Flash zero day and a new way of applying multi-stage malware to Office documents.

Multi-stage malware involves using command and control (C&C) servers to execute a malware attack in multiple stages. In the case of this Office Flash zero day the attacker delivers an Office document that contains a link to an SWF file hosted on the C&C server, but it isn’t done after that.

SEE: IT leader’s guide to the threat of fileless malware (Tech Pro Research)

After the malicious SWF file has run on the target machine it downloads encrypted data containing the payload itself and the keys necessary to decrypt it. Once decrypted, the payload downloads and executes a malicious shell file, which in turn performs the exploit and downloads more malware.

The Flash zero day itself operates by getting Flash’s interpreter to throw an exception while trying to trigger a try catch statement. “Because Flash assumes that it is impossible to execute to the catch block when processing the try catch statement, it does not check the bytecode in the catch block. The attacker uses the getlocal, setlocal instruction in the catch block to read and write arbitrary addresses on the stack,” 360 Core Security said.

Protecting yourself from this Flash zero day

This attack has been seen in the wild, and Adobe has already issued a patch to Flash to fix it. Even if you don’t think you’re at risk from being phished by a malicious Office file you should still update Flash immediately.

As for the issue with Office loading malicious SWF files, Microsoft has issued a security bulletin addressing the issue, specifically recommending users turn off ActiveX in Office 2007 and 2010.

In this particular attack, like many others, malware is spread via phishing. While this case may have exploited Office documents there’s no reason to assume future instances of this zero-day attack will operate the same way. Along with protecting your systems, users need to be educated on how to avoid opening phishing emails, clicking on bad links, or visiting disreputable websites.

The big takeaways for tech leaders:

  • A new Adobe Flash zero-day exploit is attacking using multi-stage malware embedded in a malicious Office document.
  • Adobe has issued a fix for the issue, and Microsoft has advised users to deactivate ActiveX in Office to avoid launching malicious Flash files.

Also see