Adobe Flash Zero-Day Vulnerability – Operation Clandestine Wolf by FireEye

Adobe Flash Zero Day Vulnerability Blog Image

The beautiful June is about to end, the name of the month may have been “sere-month” which implies “dry and withered” or let’s move to Latin and the name becomes Iūnius, meaning “sacred to Juno,” the Roman goddess. So to beat the heat and in the loving memory of the Roman goddess, FireEye as a Service team explored a phishing campaign which was out there for much long and came up with CVE-2015-3113 (as per NVD) also known as Flash Player Zero-day vulnerability.

Adobe Flash Zero-Day Vulnerability Comment on APT3

Affected Industries by Adobe Flash Zero-Day Vulnerability

  • Aerospace and Defense
  • Construction and Engineering
  • High Tech
  • Telecommunications
  • Transportation


Adobe Flash Zero-Day Vulnerability Comment



  • Phishing e-mail sent to victim
  • Victim clicked on the e-mail and redirected to a compromised server hosting JavaScript profiling scripts
  • Adobe Flash Player SWF file and an FLV file gets downloaded on their system
  • Systems get infected with SHOTPUT, a back-door which was detected by FireEye as Backdoor.APT.CookieCutterAbility to communicate other stakeholders in organization and also must have project management skills

To remain in an incognito mode, the payload employed XOR encoding and attached itself to a valid GIF file.


Example bait:

Adobe Flash XOR encoding example bait

The string shown in RED circle was a link that used the following URL:
Source: hxxp://<subdomain>.<legitdomain>.<TLD>/<directory>/<alphanumericID>.html

Adobe Flash Zero-Day Vulnerability Exploit Details:

  • Root cause of CVE 20015-3113 is the same as of CVE 2015-3043 which is buffer overflow vulnerability
  • Both the vulnerabilities affect the client system by a malware if they visit a compromised server with a malicious Flash file


CVE 2015-3113 and CVE 2015-3043:

  • Both are Heap overflow vulnerabilities in the FLV audio parsing flow
  • Both the vulnerabilities are triggered by the modification of FLV’s audio tag
  • Both overflow a hard coded length heap buffer with a length of 0x2000
  • Both the vulnerabilities Trigger this blog using “sample_count*sample_size> 0x2000″and bypass the length check


Payload Packaging:

The payload uses RC4 packing for obfuscation. The RC4 key and ciphertext are BinaryData blobs that the packer uses it to decrypt the layer 2 Adobe Flash Player file. Once it gets decrypted, layer 2 is executed with “loader.loadBytes”.



  • Flash v18.0.0.194 on Windows and Mac
  • Flash v11.2.202.466 for Linux 11.x versions
  • Internet Explorer for Windows 7 and below as well as Firefox on Windows XP are known targets of these exploits


Threat Agent:

APT3 aka UPS

  • China-based threat group which FireEye tracks as APT3
  • Operation Name given by FireEye: Clandestine Fox
  • One of the lowest lying threat groups that “FireEye Threat Intelligence” has a keen interest in and keeps track of
  • The famous group has created a history by introduction of new browser-based zero-day exploits (e.g., Internet Explorer, Firefox, and Adobe Flash Player)
  • Post the target gets compromised/exploited; the group will quickly dump all the credentials, move laterally to additional hosts, and install custom back-doors
  • The Command and Control Centre (C&C) of APT3’s is difficult to track, as there is close to a minimal similarity between the different campaigns carried out by it




Adobe has already released a patch for CVE-2015-3113 with an out-of-band security bulletin.

It’s a recommendation from SISA that the vulnerable clients get the updated version of Adobe Flash Player from the above Adobe link only.


Kaushik Pandey
SISA’s Latest
close slider