Booby-trapped Office docs build with ThreadKit trigger CVE-2018-4878 flaw

Pierluigi Paganini April 10, 2018

Microsoft Office documents created with the exploit builder kit dubbed ThreadKit now include the code for CVE-2018-4878 flaw exploitation.

At the end of March, security experts at Proofpoint discovered a Microsoft Office document exploit builder kit dubbed ThreadKit that has been used to spread a variety of malware, including banking Trojans and RATs (i.e. TrickbotChthonicFormBook and Loki Bot).

The exploit kit was first discovered in October 2017, but according to the experts, crooks are using it at least since June 2017.

The ThreadKit builder kit shows similarities to Microsoft Word Intruder (MWI), it was initially being advertised in a forum post as a builder for weaponized decoy documents.

Just after its appearance, documents created with the ThreadKit builder kit have been observed in several campaigns.

Now threat actors are using the ThreadKit builder kit to target the recently patched CVE-2018-4878 Flash vulnerability, experts started observing exploit code samples in the wild a few days ago.

ThreadKit adobe flaws

Adobe addressed the CVE-2018-4878 in February after North Korea’s APT group was spotted exploiting it in targeted attacks.

The vulnerability could be exploited by an attack by tricking victims into opening a document, web page or email containing a specially crafted Flash file.

According to the researcher Simon Choi the Flash Player flaw has been exploited by North Korea since mid-November 2017. The attackers exploited the zero-day vulnerability in attacks aimed at South Korean individuals involved in research activity on North Korea.

Now the exploit was included in the ThreadKit builder, based on Virus Total hashes posted to Pastebin.

The security expert Claes Splett has published a video that shows how to build a CVE-2018-478 exploit in ThreadKit.

Proofpoint experts reported that in the last weeks, the exploit kit included new exploits targeting vulnerabilities such as the CVE-2018-4878 Adobe Flash zero-day and several Microsoft office vulnerabilities (i.e. CVE-2018-0802 and CVE-2017-8570).

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – CVE-2018-4878, ThreadKit)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment