Adobe Flash Vulnerability Used by APT28 (CVE-2017-11292)

Affected Platforms

Adobe Flash Player version


The APT group, APT28 (aka FancyBear), are attempting to use an Adobe Flash Zero Day exploit which was first identified on 10 October 2017. The exploit is delivered via a phishing email and Microsoft Office Document attachment which contains an updated version of the FinSpy malware. The zero day has been assigned a CVE-2017-11292 designation by Adobe.

The recent CVE-2017-11292 exploit is a memory corruption vulnerability which resides in the “com.adobe.tvsdk.mediacore.BufferControlParameters” class which allows the execution of a second stage payload which performs the following actions:

  • Download the final payload (FinSpy) from hxxp://89.45.67[.]107/rss/mo.exe
  • Download a lure document to display to the victim from the same IP
  • Execute the payload and display the lure document

Indicators of compromise
MD5 hashes

  • 4a49135d2ecc07085a8b7c5925a36c0a


  • 89.45.67[.]107


  • Disable flash if it is not required for business functions.
  • Ensure patches and updates are installed in a timely manner.
  • Killbit for Flash can be used to disable it in related applications. However carrying this action out system wide is problematic as Flash objects can be loaded in applications that potentially do not follow the killbit.

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: