Hermes ransomware distributed to South Koreans via recent Flash zero-day | Advanced Mobile Spy Software
This blog post was authored by @hasherezade, Jérôme Segura and Vasilios Hioureas. At the end of January, the South Korean Emergency Response Team (KrCERT) published news of a Flash Player zero-day used in targeted attacks. The flaw, which exists in Flash Player and below, was distributed via malicious Office documents containing the embedded Flash exploit. Only a couple of weeks after the public announcement, spam campaigns were already beginning to pump out malicious Word documents containing the newly available exploit. While spam has been an active distribution channel for some time now, the news of a Flash exploit would most certainly interest exploit kit authors as well. Indeed, in our previous blog post about this vulnerability (CVE-2018-4878), we showed how trivial it was to use an already available Proof-of-Concept and package it as as a drive-by download instead. On March 9th, MDNC discovered that a less common, but more sophisticated exploit kit called GreenFlash