Earlier this month, FireEye's Singapore-based FireEye as a Service team discovered a phishing campaign dubbed 'Operation Clandestine Wolf', which involves exploiting an Adobe Flash Player zero-day vulnerability.
According to the threat intelligence team, the attackers' emails included links to compromised web servers that served either benign content or a malicious Adobe Flash Player file that exploits CVE-2015-3113.
Operation Clandestine Wolf has been attributed to a China-based threat group named APT3 (also known as UPS). FireEye previously linked this group to another threat campaign, called Operation Clandestine Fox, which introduced new browser-based zero-day exploits, such as on Internet Explorer and Firefox.
In the last several weeks, APT3 actors launched this large-scale phishing campaign against industries such as aerospace and defense, construction and engineering, high tech, telecommunications, and transportation.
The phishing emails used by APT3 in this campaign were found to be extremely generic in nature and almost spam-like. Upon clicking the link included in the email, the target will be redirected to a compromised server that automatically downloads the malicious Flash file. This ends up placing a custom backdoor, known as SHOTPUT, on the victim's system.
Once APT3 has access to a target network, they work quickly and they are extremely proficient at enumerating and moving laterally to maintain their access. Additionally, this group uses zero-day exploits, continually updated custom backdoors, and throwaway command and control (CnC) infrastructure, making it difficult to track them across campaigns.
Following this vulnerability finding, Adobe has since released security updates for Adobe Flash Player to address this critical vulnerability that allows attackers to take control of the affected system. With this release, FireEye recommends users to update their product installations to the latest versions as soon as possible.
Sign up for CIO Asia eNewsletters.