June 17, 2016

Operation Daybreak: A brand-new zero-day exploit in Flash

Business

Securelist just released a new cyberespionage campaign alert, code-named “Operation Daybreak.” We believe the campaign, which employs a previously unknown Adobe Flash Player exploit, was launched by an attack group code-named ScarCruft.

Operation Daybreak targets a number of very diverse entities ranging from government organizations to large enterprises. Among them are: one of the largest trading companies in Asia, a mobile advertising and app monetization company from the United States, and a restaurant located in one of the top malls in Dubai. Some of them were compromised over the last few days. This indicates the attackers are still active and the operation will continue for at least some time.

The targets appear to receive a malicious link (via spear-phishing e-mails) that points to a hacked website that hosts the exploit kit. The exact attack vector remains unknown, however.

Costin Raiu, from Kaspersky Lab’s Global Research and Analysis Team (GReAT), and Anton Ivanov, our senior malware analyst, say that ScarCruft’s activities stand out in certain ways. For example, the exploit for CVE-2016-0147 uses “a few very interesting evasion methods.” The Daybreak attacks also cleverly use a bug in the Windows DDE component to bypass security solutions, a method unseen before now. The flaw has been reported to Microsoft’s security team.

Detection and mitigation

Kaspersky Lab’s products detect this Flash exploit as HEUR:Exploit.SWF.Agent.gen. Our AEP (Automatic Exploit Prevention) component can successfully detect this attack as well. Payloads are detected as HEUR:Trojan.Win32.ScarCruft.gen.

Securelist says that in-the-wild Flash Player exploits are becoming rare because in most cases they need to be coupled with a sandbox-bypass exploit, which makes them rather tricky. Further, Adobe, along with its plans to drop Flash support soon, is still implementing new mitigations to make exploitation of Flash Player more and more difficult.

In the meantime, resourceful threat actors such as ScarCruft are deploying zero-day exploits against their high-profile targets, and will continue to do so in the future.

The best option for businesses to avoid becoming victims is to employ a multilayered approach. A combination of traditional antimalware technologies with patch management, host intrusion detection, and, ideally, whitelisting and default-deny strategies, is the optimal course of action here.

“While it’s impossible to achieve 100% protection, in practice and most cases all you have to do is increase your defenses to the point where it becomes too expensive for the attacker — who will just give up and move on to other targets,” Costin Raiu and Anton Ivanov wrote.

For full technical details and indicators of compromise, please refer to Securelist.

More information about the ScarCruft APT group is available to customers of Kaspersky Intelligence Reporting Service.