Adobe kills a North Korean hacking group’s first zero-day

Adobe patched a Flash Player zero-day flaw used by suspected North Korean hackers to install malware on PCs south of the demilitarized zone. 

The suspected North Korean hacking group, known as Group 123, has lost its first known zero-day exploit for infecting systems with ROKRAT, a remote administration tool used to spy on South Korean targets as well as destroy data on infected systems.

Adobe last week warned users that a previously unknown Flash Player flaw, tagged as CVE-2018-4878, was being used in targeted attacks against Windows users. The flaw allowed remote attackers to execute code on target systems. 

The attackers, which Cisco’s Talos researchers identified as Group 123, embedded a malicious SWF Flash file in Excel documents and sent them to South Korean targets by email. 

Alongside Adobe’s initial advisory South Korea’s computer emergency response team, KrCERT, warned locals it had seen the un-patched Flash Player flaw being used inside Office documents. Adobe credited KrCERT with reporting the issue. 

The update for Flash Player on Windows, Macintosh, Linux and Chrome OS moves Adobe’s media player to version 28.0.0.161. Adobe generally times its Flash Player updates to coincide with Microsoft’s Patch Tuesday updates, but occasionally releases outside that cycle when needed.   

Most Windows users don’t need to worry about the immediate threat posed by this flaw, however that may change over time. 

Flash Player flaws once were favored by cybercriminals to compromise desktops but have been less frequently targeted since Google, Apple, Microsoft and Mozilla began restricting Flash and defaulting to HTML5 instead. Adobe and major browser makers have nonetheless agreed to support Flash Player until the end of 2020. 

Google will fully remove Flash support in December 2020 in some version above Chrome 87, but has three milestones to reach before the final nail in the coffin.

But Adobe’s patch shows Flash flaws are still useful to a different audience than typical cybercriminals, in this case a suspected state-sponsored hacker group that wants to deliver a RAT. 

Cisco’s Talos malware researchers in January detailed six hacking campaigns carried out in 2017 by Group 123 to deliver ROKRAT. The campaigns mostly showed the RAT was capable of remotely manipulating data on targeted systems, but in one instance it was used to wipe disks. The campaigns used known flaws in Office and a Korean productivity software product, however, none of the attacks used a zero-day exploit. 

That changed with CVE-2018-4878, according to Talos researchers Warren Mercer and Paul Rascagneres. 

“Group 123 have now joined some of the criminal elite with this latest payload of ROKRAT — they have used an Adobe Flash 0-day which was outside of their previous capabilities,” the researchers wrote.  

“[Group 123] did use exploits in previous campaigns but never a net new exploit as they have done now. This change represents a major shift in Group 123s maturity level, we can now confidentially assess Group 123 has a highly skilled, highly motivated and highly sophisticated group.