During an analysis of different remote desktop trojans we came across an interesting attack-chain which leverages an RTF that exploits CVE-2017-8759 to deliver DarkVNC, a malicious version of the well-known VNC, designed to silently remote-control a victim.
Continue reading “A short journey into DarkVNC attack chain”
Adobe released in April 2015 an update to patch CVE-2015-3043 that was being exploited actively in the wild by (but not only) threat actor APT28 during the operation RussianDoll. The vulnerability was a heap overflow in the FLV audio parsing engine, in particular the culprit was a hardcoded heap buffer length of 0x2000 bytes, the attackers simply had to provide a source capable of bypassing the length check and overwrite a buffer with more than 0x2000 bytes.