INCA Internet Response team detected attacks using latest Adobe Flash Player exploit (CVE-2012-0779).Especially we found malicious DOC files. With these reasons, users need to maintain latest Adobe Flash Player update to be safe from malicious security threats and need to be careful on downloading attachment from suspicious e-mail.
2. Cases of CVE-2012-0779
Various malicious files using CVE-2012-0779 exploit are found. Following figure shows malicious DOC files.
Malicious e-mail on April 13, 2012
This DOC file used CVE-2012-0779 exploit and is written in Korean. We can assume that this file can be used APT attack in Korea.
File name is "유통관련자료_수정본.doc". Run screen is as following.
This malicious DOC file contains script code which make user's PC access on certain URL. Malicious "exp.swf" is already being installed. Currently this malicious swf has been removed.
This malicious file contains malicious EXE(XOR encoded).
Except this file, there were various malicious file which are written in English.
■ Malicious e-mail on May 03, 2012
"WUC Invitation Letter Guests.doc" contains CVE-2012-0779 exploit. Following figure is run screen.
DOC file includes following script code which can load malicious SWF file.
After downloading malicious file, following files will be executed in a row.
Official version of Adobe Flash Player 126.96.36.199 is distributing now. To be safe from CVE-2012-0779 exploit, users need to maintain latest update.
To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.
INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.