CVE-2018-4878 (Flash Player up to and Exploit Kits

2018-03-09 - Exploit Integration

CVE-2018-4878 (Flash Player up to and Exploit Kits

The CVE-2018-4878 is a bug that allows remote code execution in Flash Player up to, spotted in the wild as a 0day, announced by the South-Korean CERT on the 31st of January. Patched on February 6, 2018 with ASPB18-03. Seen in malspam campaign two weeks after, it’s now beeing integrated in Exploit Kits.

This is, as far as i know, the first new working RCE integrated in non targeted Exploit Kit1 since CVE-2016-0189 in july 2016 (!).


GreenFlash Sundown:

Spotted on the 2018-03-09 (but probably there since several days)

CVE-2018-4878-Successful pass on GreenFlash Sundown

Figure 1: Greenflash Sundown successfully deploying Hermes 2.1 Ransomware after exploiting Flash in IE11 on Windows 7 - 2018-03-09

GreenFlash is a private heavily modified version of Sundown EK spotted in october 2016 by Trendmicro. It’s beeing exclusively used by the “WordsJS” (aka “ShadowGate”) group. This group is getting traffic from crompromised OpenRevive/OpenX advertising server since at least may 2015.


Figure 2: Some tagged activity from WordsJS displayed in MISP.

Some references about the activities of this group:

Blog/Tweet Date Author
OpenX Hacks example (malvertising) 2015-05-19 @malekal_morte
[Tweet] Malvertising via psychecentral[.]com 2015-10-12 @BelchSpeak […] Angler EK: Installs bedep, vawtrak and POS malware 2015-11-02 Cyphort
Music-themed Malvertising Lead To Angler 2016-01-19 Zscaler
[FR] Exemple d’une Malvertising sur OpenX 2016-04-13 @malekal_morte
Top Chilean News Website Emol Pushes Angler Exploit Kit 2016-05-11 Malwarebytes
Is it the End of Angler ? 2016-06-11 MDNC Shadowed Domains Lead to Neutrino EK 2016-08-12 RiskIQ
Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted2 2016-09-01 Talos
Sundown EK from sends Locky Ransomware 2016-10-17 @malware_traffic
New Bizarro Sundown Exploit Kit Spreads Locky 2016-11-04 Trendmicro

Files: Fiddler on VT - Pcap on VT (note: some https proxies were used)

IOC Type Comment Date
bannerssale[.]com|159.65.131[.]94 domain|IP Sundown GF Step 1 2018-01-09
aquaadvertisement[.]com|159.65.131[.]95 domain|IP Sundown GF Step 2 2018-03-09
listening.secondadvertisements[.]com|207.148.104[.]5 domain|IP Sundown GF Step 3 2018-03-09
65bd3d860aaf8874ab76a1ecc852a570 md5 Ransomware Hermes 2.1 2018-03-09
f84435880c4477d3a552fb5e95f141e1 md5 Ransomware Hermes 2.1 2018-03-10

If you saw this kind of traffic in your perimeter/telemetry, i’d be happy to get more referer


  • 2018-03-10 - 15:40 GMT - Removed mention of steganography. @smogoreli: “simple offset in the dat file”


  • Thanks to Genwei Jiang (FireEye) for the CVE identification.
  • Thanks to Joseph Chen for inputs allowing the capture of a fresh pass of GreenFlash Sundown.
  • Thanks to @GelosSnake & @baberpervez2 for the ping on suspicious activity that could be associated to “WordsJS” (aka “ShadowGate”) and triggered those checks.
  1. For instance CVE-2016-7855 has been integrated as a 0day in Sednit EK in october 2016. 

  2. It was not exactly a malvertising but some ad server compromission and nothing, but a bunch of shadowed domains, was really taken down 

CVE-2018-4878 GreenFlash Sundown WordsJS ShadowGate