Now that the IE zero day which caused so much panic over the last several days has been patched, researchers are much more free to discuss details of the attack.
Cisco's Snort IPS network shows that their customers began on April 24 with several phishing attacks.
The attack relies on getting a user to visit a web site with the malicious code and this was the purpose of the phishing emails. Cisco found these subject lines used in the attacks:
- Welcome to Projectmates!
- Refinance Report
- What's ahead for Senior Care M&A
- UPDATED GALLERY for 2014 Calendar Submissions
These domains were used to host the malicious code:
Once the heap is prepared, the SWF calls back into the web page at
oil() with a special string as a parameter.
oil() then invokes the exploit by calling eval() with the string passed from the SWF. This causes a crash which eventually executes the shell code.
There have been several Flash exploits with heap sprays recently. It may be that the attackers brought the Flash object into the picture because they had more trouble getting the exploit to work in IE.