Security Experts:

Connect with us

Hi, what are you looking for?



Flash Zero-Day Attacks Analyzed by FireEye, Cisco

FireEye and Cisco have analyzed the attacks involving a recently disclosed Flash Player zero-day vulnerability and linked them to a group known for targeting South Korean entities.

FireEye and Cisco have analyzed the attacks involving a recently disclosed Flash Player zero-day vulnerability and linked them to a group known for targeting South Korean entities.

South Korea’s Internet & Security Agency (KISA) warned last week of a zero-day flaw in Flash Player. Some local security experts said the vulnerability had been exploited by North Korean hackers since mid-November 2017 in attacks aimed at individuals in South Korea.

Adobe has confirmed the existence of the flaw, which affects Flash Player and earlier, and it plans on patching it sometime this week. The security hole, tracked as CVE-2018-4878, is a use-after-free issue that can allow a remote attacker to execute arbitrary code.

FireEye has launched an investigation following the alert from KISA and linked the attack to a group it tracks as TEMP.Reaper. This threat actor is believed to be operating out of North Korea based on the fact that it has been spotted interacting with command and control (C&C) servers from IP addresses associated with Star JV, the North Korean-Thai joint venture that connects the country to the Internet.

“Historically, the majority of their targeting has been focused on the South Korean government, military, and defense industrial base; however, they have expanded to other international targets in the last year. They have taken interest in subject matter of direct importance to the Democratic People’s Republic of Korea (DPRK) such as Korean unification efforts and North Korean defectors,” FireEye said.

FireEye said its researchers spotted a new wiper malware, dubbed “RUHAPPY,” being developed by the Reaper group in the past year. North Korean threat actors have been known to use wiper malware, but Reaper has not been seen using RUHAPPY in attacks.

The security firm’s analysis showed that the hackers have exploited the Flash Player zero-day vulnerability using malicious Office documents and spreadsheets containing a specially crafted SWF file. If the flaw is exploited successfully, a piece of malware named by FireEye “DOGCALL” is delivered.

Cisco Talos has published several reports in the past months on this remote access trojan (RAT), which it tracks as ROKRAT.

The company has attributed the Flash Player zero-day attacks to an actor it has named “Group 123.” Talos last month detailed several campaigns conducted by this group against South Korean targets, but researchers have refrained from explicitly attributing the operations to North Korea.

“Group 123 have now joined some of the criminal elite with this latest payload of ROKRAT,” Talos researchers said in a blog post on Friday. “They have used an Adobe Flash 0 day which was outside of their previous capabilities – they did use exploits in previous campaigns but never a net new exploit as they have done now. This change represents a major shift in Group 123s maturity level, we can now confidentially assess Group 123 has a highly skilled, highly motivated and highly sophisticated group.”

Simon Choi of South Korea-based cybersecurity firm Hauri, one of the first people to publicly attribute the attack to North Korea, said they had traced one of the hackers using the Flash zero-day to a Facebook account apparently belonging to a resident of North Korea’s capital city of Pyongyang.

*Updated with information from Simon Choi

Related: U.S. Government Shares Details of FALLCHILL Malware Used by North Korea

Related: Australia, Canada, Others Blame North Korea for WannaCry Attack

Related: North Korean Hackers Target Android Users in South

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.