{"id":81055,"date":"2015-12-29T16:58:56","date_gmt":"2015-12-29T11:28:56","guid":{"rendered":"https:\/\/blogs.quickheal.com\/?p=81055"},"modified":"2016-04-11T13:53:52","modified_gmt":"2016-04-11T08:23:52","slug":"quick-heal-detects-flash-exploit-from-china","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/quick-heal-detects-flash-exploit-from-china\/","title":{"rendered":"Quick Heal Detects Flash Exploit from China"},"content":{"rendered":"<p>Quick Heal\u2019s Malware Intelligence reporting system keeps a track of threats that are detected on its customers\u2019 machines. From last quarter\u2019s malware detection stats, we found that there were constant detection alerts for a well-known Adobe flash exploit in India. It is known as <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2015-5119\" target=\"_blank\">CVE-2015-5119<\/a>. Our analysis of this threat revealed that the attacker had used the Flash exploit POC (Proof of Concept) of Hacking Team that was leaked in July 2015. The attacker had made some small changes to the shellcode of the Hacked Team POC.<\/p>\n<p><strong>Details of the Exploitation<\/strong><br \/>\nThe exploitation begins with the targeted user visiting a compromised website, which contains a malicious advertisement. This advertisement is a malicious IFrame (<em>an HTML document embedded inside another HTML document on a website<\/em>) redirecting to a compromised URL. This URL loads an Adobe flash file in the victim\u2019s browser that exploits outdated and vulnerable versions of the Adobe flash player plugin installed in the browser.<\/p>\n<p>The Adobe flash file exploits the CVE-2015-5119 vulnerability, and this compromises the browser\u2019s process running on the victim\u2019s machine.<\/p>\n<p><a href=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2015\/12\/Flash-Exploit.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-81056\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2015\/12\/Flash-Exploit.png\" alt=\"Flash Exploit\" width=\"676\" height=\"190\" \/><\/a><br \/>\nAfter successful exploitation, the Flash file redirects the execution of the browser process to its custom shellcode. This shellcode is designed to download a <strong>sever.exe<\/strong> file from the IP 74.126.180.170 and execute it. The <strong>sever.exe<\/strong> file then downloads adware and unwanted software components on the infected machine. The primary intention of the attacker behind carrying out this activity is to earn money; paid out as pay per install.<\/p>\n<p><strong>Detected IP addresses related to this exploit:<\/strong><\/p>\n<ul>\n<li>203.130.60.50<\/li>\n<li>61.153.56.60<\/li>\n<li>61.160.247.140<\/li>\n<li>61.160.224.174<\/li>\n<li>222.73.144.176<\/li>\n<li>59.46.204.102<\/li>\n<\/ul>\n<p><strong>How Quick Heal helps<br \/>\n<\/strong>Quick Heal has been detecting this exploit since July 2015; our users are fully protected against it.<\/p>\n<p><strong>Quick Heal detection statistics of the exploit<\/strong><\/p>\n<p><a href=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2015\/12\/Flash-exploit-detection-stats.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-81057\" src=\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2015\/12\/Flash-exploit-detection-stats.png\" alt=\"Flash exploit detection stats\" width=\"616\" height=\"335\" \/><\/a><\/p>\n<p><strong>Acknowledgments:<\/strong><\/p>\n<p>\u2022 Subject Matter Expert: Manish Sardiwal (Vulnerability Analysis &amp; Research Team)<br \/>\n\u2022 Quick Heal Threat Research Labs<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Quick Heal\u2019s Malware Intelligence reporting system keeps a track of threats that are detected on its customers\u2019 machines. From last quarter\u2019s malware detection stats, we found that there were constant detection alerts for a well-known Adobe flash exploit in India. It is known as CVE-2015-5119. Our analysis of this threat revealed that the attacker had [&hellip;]<\/p>\n","protected":false},"author":6,"featured_media":82538,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[70,965,36],"tags":[1240,634],"class_list":["post-81055","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-adobe","category-adware","category-security-patch","tag-adobe-flash-exploit","tag-security-hole"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/81055"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=81055"}],"version-history":[{"count":3,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/81055\/revisions"}],"predecessor-version":[{"id":82539,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/81055\/revisions\/82539"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/82538"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=81055"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=81055"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=81055"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}