Security researchers from FireEye have analyzed the campaign
A few hours ago, Adobe released an out-of-band update for Flash Player to address a total of three vulnerabilities, one of which (CVE-2014-0502) is being actively exploited by cybercriminals in a targeted attack. Adobe has credited Google and FireEye for reporting this zero-day.In a blog post published shortly after Adobe released the update, FireEye researchers revealed that the zero-day had been used in an attack involving multiple economic and foreign policy sites.
The visitors of at least three non-profit organizations, two of which deal with matters of US national security, have been redirected to a server hosting the zero-day exploit.
This operation, dubbed by FireEye “GreedyWonk,” appears to be related to an older campaign analyzed by ShadowServer back in May 2012.
“The group behind this campaign appears to have sufficient resources (such as access to zero-day exploits) and a determination to infect visitors to foreign and public policy websites. The threat actors likely sought to infect users to these sites for follow-on data theft, including information related to defense and public policy matters,” FireEye experts noted in their blog post.
The existence of the Adobe Flash Player zero-day was uncovered on February 13, when researchers noticed that the visitors of the Peter G. Peterson Institute for International Economics (piie[dot]com) were redirected to an exploit server via a hidden iframe.
Experts found that the visitors of two other sites – the one of the American Research Center in Egypt (arce[dot]org) and the one of the Smith Richardson Foundation (srf[dot]org) – were also redirected to the same server.
The attackers tried to bypass ASLR protections by targeting only computers running Windows XP, Windows 7 with Java 1.6, and Windows 7 running unpatched versions of Office 2007 and 2010.
The exploit is used to download and install the PlugX/Kaba RAT, allowing the attackers to take control of the infected devices. The version of the RAT used in this campaign was compiled on February 12. This suggests that it has been deployed specifically for Operation GreedyWonk.