Cybersecurity Tech Investment Planning: Use annual loss expectancy to build a business case
arrow-white arrow-white Download now

Flash Exploit CVE-2018-4878 - Part of Massive Malspam Campaign

Posted by Michael Gorelik on February 25, 2018
Find me on:

flash exploit: easily reproducible 

On February 22, 2018, Morphisec Labs spotted several malicious word documents exploiting the latest Flash vulnerability CVE-2018-4878 in the wild in a massive malspam campaign. Adobe released a patch early February, but it will take some companies weeks, months or even years to rollout the patch and cyber criminals keep developing new ways to exploit the vulnerability in this window

All the documents showed a very low detection ratio on VirusTotal and the next stage artifacts were successfully downloaded from a newly registered domain in all cases. Analyzing the attack, it is clear that it took the attackers only a few easy changes to the original targeted attack to outplay static defenses once more.   

Note to Morphisec customers: Morphisec prevents all variants of this attack, starting from the first version one and half years ago to this latest one leveraging CVE-2018-4878.

01-CVE-2018-4878-in-the-wild.pnglatest one leveraging CVE-2018-4878.

The documents were downloaded from the safe-storge[.]biz domain and went almost entirely undetected with an 1/67 detection ratio. 

 safe storage biz information

While many security defenses missed their goal, the attack did not. In the emails, the victims received short links to the malicious website generated by Google URL Shortener. This gives us the ability to see the analytics for the short links, such as click rate and mail host used. For example, we see that victims opened it through Outlook, Gmail and the Italian WebHost This is of course only a partial picture; we detected five different short links, but there are likely more. 

The analytics for the short links shows the same pattern as legitimate email campaigns. Clickthroughs spike in the first couple of hours after emails are sent. Signature-based defenses, like antiviruses, cannot cope with this pace.  

 shortlink1a.png shortlink2a.png

 shortlink3a.png shortlink4a.png 

shortlink5a.png  Click images to enlarge

After downloading and opening the Word document, the attack exploits the Flash vulnerability 2018-4878 and opens a cmd.exe which is later remotely injected with a malicious shellcode that connects back to the malicious domain.

 signature based defenses 

In the next step, the shellcode downloads a "m.db" dll from the same domain, which is executed using regsvr32 process in order to be able to bypass whitelisting solutions:


 Regsvr32 Process:

 Regsvr32 Process

Also the extracted SWF Flash file had very low detection score on VirusTotal:

 disassembled flash file


The disassembled Flash file had a very similar signature to existing PoCs, especially to the stripped 32 bit PoC. Unlike the original attack, however, the current malspam campaign doesn't have a 64 bit implementation.



As expected and predicted, adversaries have quickly adopted the Flash exploit, which is easily reproducible. With small variations to the attack, they successfully launched a massive malspam campaign and bypassed most of the existing static scanning solutions once again.  

Morphisec's Endpoint Threat Prevention solution is agnostic to the morphing and obfuscation of the exploit, and prevented the exploit before any damage could occur.












<unknown name>.docx


Domain: safe-storage[.]biz:443

Short Links:






 New Call-to-action