Investigators at the security company identified zero day CVE-2017-11292, which was used in an Oct. 10 attack. Kaspersky Lab reported the vulnerability to Adobe, which issued an update that should be installed by all companies and organizations.
The threat is distributed through a Microsoft Word document then activating the commercial malware FinSpy (also known as FinFisher) typically sold to nation-states and police forces for surveillance purposes.
After the installation, the malware allocates an anchor to the attacked computer and connects it to the command and control servers waiting for further instructions until it deletes data. FinSpy has several techniques to make forensic analysis difficult.
Investigators believe that the group behind the attack is also responsible for CVE-2017-8759, another zero day found in September, and they suspect that the hacker involved is BlackOasis , which Kaspersky Lab’s Global Research and Analysis Team continue in 2016.
Based on the Kaspersky Lab report, the cybercriminals’ interests include a set of actors involved in Middle Eastern politics, including United Nations figures, opposition bloggers and activists, as well as regional media correspondents.
So far, BlackOasis victims have been found in different countries: Russia, Iraq, Afghanistan, Nigeria, Libya, Jordan, Tunisia, Saudi Arabia, Iran, Netherlands, Bahrain, UK and Angola.
“With this attack using the most recently discovered threat – zero day – it is the third time this year that we have identified the distribution of FinSpy by exploiting zero day vulnerabilities. Previously, the players who used this malware took advantage of the critical aspects of Microsoft Word and Adobe products. We believe that the number of attacks based on FinSpy software and supported by zero day threats, as described above, will continue to increase, ” said Anton Ivanov , Principal Investigator of Malware at Kaspersky Lab.
Kaspersky Lab’s security solutions effectively detect and block threats using the latest vulnerability, but the company advises all users and IT teams to install Adobe’s security update .