Exploit:SWF/CVE-2018-15982.G

The Exploit:SWF/CVE-2018-15982.G exploits a specific use-after-free vulnerability CVE-2018-15982 in the com.adobe.tvsdk.mediacore.metadatapackage of Adobe Flash Player versions 31.0.0.153 and earlier. Threat actors create a malicious Shockwave Flash (SWF) file that manipulates memory pointers to create a dangling reference. This manipulation allows the threat actor to insert and run a custom shellcode, which takes control of the process and allows arbitrary code to launch on the target device. The initial delivery of this SWF file occurs through two primary methods: first, via spear-phishing emails that contain RAR archives holding malicious Microsoft Office documents with the exploit embedded as a hidden ActiveX object; and second, through integration into exploit kits like the RIG EK, which deploy the SWF file in drive-by download attacks from compromised websites. 

After successful exploitation, the embedded shellcode initiates contact with a remote command-and-control (C2) server, such as the IP address 216[.]250.99[.]5 or domains like jeitacave[.]org/ps004.jpg, to retrieve a secondary payload. The shellcode is attempting to download a file named "in.exe." This process often involves executing a malicious PowerShell script, which threat actors sometimes disguise with a .jpg extension, for example, wpltbbrp_011up.jpg. The payload then implements a sophisticated installation routine that uses a malicious MSI installer package. This installer drops specific files, including winupdate64.log (a loader DLL) and sysupdate.log (an encrypted payload), into the Windows directory.  

To achieve persistence, the malware modifies the PendingFileRenameOperations value within the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager registry key. This modification forces the Windows Session Manager (smss.exe) to replace the legitimate System Event Notification Service file (sens.dll) with the malicious loader during the next system startup. Once in place, the loader decrypts and executes the final payload from a suspended svchost.exe process. This final payload includes a DLL and a rootkit driver, often using filenames like Ms{random hex values}App.dll or dump_{random hex values}.sys, which hides the payload’s presence and activities on the infected device.