In almost two years, Adobe Flash Player will be gone for good. Multiple experts have complained about the safety of Flash and they all argued that there are better alternatives out there. As it turns out, even Adobe agreed and the company decided to kill Flash in 2020. However, it appears that the program won’t have some peaceful last days. A new discovery seemed to confirm all the speculations about the risks.

Zero-day vulnerability discovered by Kaspersky Lab

Anton Ivanov from Kaspersky Lab was the one that discovered that unknown vulnerability. It appears that it has already been exploited by a hacker group named GroupOasis. These hackers target Middle Eastern countries and they can be a real treat for politicians, journalists, activists and others. The group also used other vulnerabilities in the past, such as CVE-2017-8759 in September 2017, CVE-2016-4117 in May 2016, CVE-2016-0984 in June 2015, and CVE-2015-5119 in June 2015. The team has been tracking this APT since May 2016.

We do not know for sure who were the victims of the latest attack, but judging by the group’s history, it is very likely that they targeted prominent Middle Eastern figures. We already know that BlackOasis has operations in Iraq, Afghanistan, Bahrain, Jordan, Saudi Arabia, Iran, Netherlands, United Kingdom, Russia, Nigeria, Libya, Tunisia, and Angola.

How does it work?

It appears that hackers used Office documents. Users would receive documents that were embedded with an ActiveX object that contained the Flash CVE-2017-11292 exploit. A file named mo.exe was downloaded and run, but in fact this file was FinSpy spyware, but in disguise.

“The FinSpy payload used in the current attacks (CVE-2017-11292) shares the same command and control (C2) server as the payload used with CVE-2017-8759 uncovered by FireEye,” explained Costin Raiu, Global Research and Analysis Team (GReAT).