Zero-Day Flash Player Flaw Used to Target Excel Users on Windows

A Zero-day Flash Player exploit is being executed via hidden code in Excel documents, allowing attackers to install a backdoor and control the victim's PC. It's thought to be an APT directed at Qatar.


Another day, another Adobe flaw. The once-popular web-browser plugin has been used countless times to attack users, but this time the exploit is a little different.

Discovered by Qihoo 360 Core , it makes use of Excel documents to deliver trojans and backdoors. This method reduces the chance of detection by anti-viruses and doesn't require flash enabled in the browser.

To do so, the Excel file calls the flash exploit from a remote server, allowing them to serve it to victims depending on IP address, provider, or product. A SWF file is then downloaded by a domain created by the attacker, which requests encrypted data and decryption keys used to conceal the exploit.

From there, it can trigger the exploit and download malicious shell code. According to Iceberg, this usually consists of a backdoor and other tools to control the user's machine. It's a sophisticated attack that's very difficult to detect, and users should their immediately to avoid it.

Fix Already Live

Patch CVE-2018-5002 gives users a prompt about potential security risk before loading remote content, mitigating much of the risk. It addresses three additional flaws, so it's well-worth getting up to date.

As for the origins of the attacks, neither Qihoo or Iceberg attribute it to a particular country. However,  Qihoo notes that “All clues show this is a typical APT attack,” and Qatar is the suspected target.

For the unfamiliar, APT stands for advanced persistent threat. They are highly stealthy and sophisticated and often run for a long period of time. As a result, they often require a huge amount of resources that are persistent with a nation-state.

You can read more about the exploit on the Iceberg and Qihoo blogs.