{ "id": "fc433406-6493-4688-bd4e-432b439658ec", "created_at": "2026-04-06T00:18:58.557978Z", "updated_at": "2026-04-10T03:25:05.317314Z", "deleted_at": null, "sha1_hash": "6eed5ac5ef038eda219cea039afd827c26bebee6", "title": "BlackOasis APT and new targeted attacks leveraging zero-day exploit", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 978335, "plain_text": "BlackOasis APT and new targeted attacks leveraging zero-day\r\nexploit\r\nBy GReAT\r\nPublished: 2017-10-16 · Archived: 2026-04-05 15:16:38 UTC\r\nMore information about BlackOasis APT is available to customers of Kaspersky Intelligence Reporting Service.\r\nContact: intelreports@kaspersky.com\r\nIntroduction\r\nKaspersky Lab has always worked closely with vendors to protect users. As soon as we find new vulnerabilities\r\nwe immediately inform the vendor in a responsible manner and provide all the details required for a fix.\r\nOn October 10, 2017, Kaspersky Lab’s advanced exploit prevention systems identified a new Adobe Flash zero\r\nday exploit used in the wild against our customers. The exploit was delivered through a Microsoft Office\r\ndocument and the final payload was the latest version of FinSpy malware. We have reported the bug to Adobe\r\nwho assigned it CVE-2017-11292 and released a patch earlier today:\r\nSo far\r\nonly one attack has been observed in our customer base, leading us to believe the number of attacks are minimal\r\nand highly targeted.\r\nAnalysis of the payload allowed us to confidently link this attack to an actor we track as “BlackOasis”. We are\r\nalso highly confident that BlackOasis was also responsible for another zero day exploit (CVE-2017-8759)\r\ndiscovered by FireEye in September 2017.  The FinSpy payload used in the current attacks (CVE-2017-11292)\r\nshares the same command and control (C2) server as the payload used with CVE-2017-8759 uncovered by\r\nFireEye.\r\nBlackOasis Background\r\nhttps://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/\r\nPage 1 of 11\n\nWe first became aware of BlackOasis’ activities in May 2016, while investigating another Adobe Flash zero day.\r\nOn May 10, 2016, Adobe warned of a vulnerability (CVE-2016-4117) affecting Flash Player 21.0.0.226 and\r\nearlier versions for Windows, Macintosh, Linux, and Chrome OS. The vulnerability was actively being exploited\r\nin the wild.\r\nKaspersky Lab was able to identify a sample exploiting this vulnerability that was uploaded to a multi scanner\r\nsystem on May 8, 2016. The sample, in the form of an RTF document, exploited CVE-2016-4117 to download\r\nand install a program from a remote C\u0026C server. Although the exact payload of the attack was no longer in the\r\nC\u0026C, the same server was hosting multiple FinSpy installation packages.\r\nLeveraging data from Kaspersky Security Network, we identified two other similar exploit chains used by\r\nBlackOasis in June 2015 which were zero days at the time.  Those include CVE-2015-5119 and CVE-2016-0984,\r\nwhich were patched in July 2015 and February 2016 respectively.  These exploit chains also delivered FinSpy\r\ninstallation packages.\r\nSince the discovery of BlackOasis’ exploitation network, we’ve been tracking this threat actor with the purpose of\r\nbetter understanding their operations and targeting and have seen a couple dozen new attacks. Some lure\r\ndocuments used in these attacks are shown below:\r\nhttps://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/\r\nPage 2 of 11\n\nhttps://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/\r\nPage 3 of 11\n\nDecoy documents used in BlackOasis attacks\r\nTo summarize, we have seen BlackOasis utilizing at least five zero days since June 2015:\r\nCVE-2015-5119 – June 2015\r\nCVE-2016-0984 – June 2015\r\nCVE-2016-4117 – May 2016\r\nCVE-2017-8759 – Sept 2017\r\nCVE-2017-11292 – Oct 2017\r\nAttacks Leveraging CVE-2017-11292\r\nThe attack begins with the delivery of an Office document, presumably in this instance via e-mail.  Embedded\r\nwithin the document is an ActiveX object which contains the Flash exploit.\r\nhttps://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/\r\nPage 4 of 11\n\nFlash object in the .docx file, stored in uncompressed format\r\nThe Flash object contains an ActionScript which is responsible for extracting the exploit using a custom packer\r\nseen in other FinSpy exploits.\r\nhttps://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/\r\nPage 5 of 11\n\nUnpacking routine for SWF exploit\r\nThe exploit is a memory corruption vulnerability that exists in the\r\n“com.adobe.tvsdk.mediacore.BufferControlParameters” class.  If the exploit is successful, it will gain arbitrary\r\nread / write operations within memory, thus allowing it to execute a second stage shellcode.\r\nThe first stage shellcode contains an interesting NOP sled with alternative instructions, which was most likely\r\ndesigned in such a way to avoid detection by antivirus products looking for large NOP blocks inside flash files:\r\nNOP sled composed of 0x90 and 0x91 opcodes\r\nThe main purpose of the initial shellcode is to download second stage shellcode from\r\nhxxp://89.45.67[.]107/rss/5uzosoff0u.iaf.\r\nhttps://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/\r\nPage 6 of 11\n\nSecond stage shellcode\r\nThe second stage shellcode will then perform the following actions:\r\n1. 1 Download the final payload (FinSpy) from hxxp://89.45.67[.]107/rss/mo.exe\r\n2. 2 Download a lure document to display to the victim from the same IP\r\n3. 3 Execute the payload and display the lure document\r\nPayload – mo.exe\r\nAs mentioned earlier, the “mo.exe” payload (MD5: 4a49135d2ecc07085a8b7c5925a36c0a) is the newest version\r\nof FinSpy malware, typically sold to nation states and other law enforcement agencies to use in lawful\r\nsurveillance operations.  This newer variant has made it especially difficult for researchers to analyze the malware\r\ndue to many added anti-analysis techniques, to include a custom packer and virtual machine to execute code.\r\nThe PCODE of the virtual machine is packed with the aplib packer.\r\nhttps://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/\r\nPage 7 of 11\n\nPart of\r\npacked VM PCODE\r\nAfter unpacking, the PCODE it will look like the following:\r\nUnpacked PCODE\r\nAfter unpacking the virtual machine PCODE is then decrypted:\r\nhttps://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/\r\nPage 8 of 11\n\nDecrypted VM PCODE\r\nThe custom virtual machine supports a total of 34 instructions:\r\nExample of parsed PCODE\r\nIn this example, the “1b” instruction is responsible for executing native code that is specified in parameter field.\r\nOnce the payload is successfully executed, it will proceed to copy files to the following locations:\r\nC:\\ProgramData\\ManagerApp\\AdapterTroubleshooter.exe\r\nC:\\ProgramData\\ManagerApp\\15b937.cab\r\nC:\\ProgramData\\ManagerApp\\install.cab\r\nC:\\ProgramData\\ManagerApp\\msvcr90.dll\r\nC:\\ProgramData\\ManagerApp\\d3d9.dll\r\nThe “AdapterTroubleshooter.exe” file is a legitimate binary which is leveraged to use the famous DLL search\r\norder hijacking technique.  The “d3d9.dll” file is malicious and is loaded into memory by the legit binary upon\r\nexecution.  Once loaded, the DLL will then inject FinSpy into the Winlogon process.\r\nhttps://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/\r\nPage 9 of 11\n\nPart of injected code in winlogon process\r\nThe payload calls out to three C2 servers for further control and exfiltration of data. We have observed two of\r\nthem used in the past with other FinSpy payloads. Most recently one of these C2 servers was used together with\r\nCVE-2017-8759 in the attacks reported by FireEye in September 2017. These IPs and other previous samples tie\r\nclosely to the BlackOasis APT cluster of FinSpy activity.\r\nTargeting and Victims\r\nBlackOasis’ interests span a wide gamut of figures involved in Middle Eastern politics and verticals\r\ndisproportionately relevant to the region. This includes prominent figures in the United Nations, opposition\r\nbloggers and activists, and regional news correspondents. During 2016, we observed a heavy interest in Angola,\r\nexemplified by lure documents indicating targets with suspected ties to oil, money laundering, and other illicit\r\nactivities. There is also an interest in international activists and think tanks.\r\nVictims of BlackOasis have been observed in the following countries: Russia, Iraq, Afghanistan, Nigeria, Libya,\r\nJordan, Tunisia, Saudi Arabia, Iran, Netherlands, Bahrain, United Kingdom and Angola.\r\nConclusions\r\nWe estimate that the attack on HackingTeam in mid-2015 left a gap on the market for surveillance tools, which is\r\nnow being filled by other companies. One of these is FinFisher with their suite of tools.\r\nWe believe the number of attacks relying on FinFisher software, supported by zero day exploits such as the ones\r\ndescribed here will continue to grow.\r\nWhat does it mean for everyone and how to defend against such attacks, including zero-day exploits?\r\nFor CVE-2017-11292 and other similar vulnerabilities, one can use the killbit for Flash within their organizations\r\nto disable it in any applications that respect it.  Unfortunately, doing this system-wide is not easily done, as Flash\r\nobjects can be loaded in applications that potentially do not follow the killbit. Additionally, this may break any\r\nother necessary resources that rely on Flash and of course, it will not protect against exploits for other third party\r\nsoftware.\r\nDeploying a multi-layered approach including access policies, anti-virus, network monitoring and allowlisting can\r\nhelp ensure customers are protected against threats such as this.  Users of Kaspersky products are protected as\r\nwell against this threat by one of the following detections:\r\nhttps://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/\r\nPage 10 of 11\n\nPDM:Exploit.Win32.Generic\r\nHEUR:Exploit.SWF.Generic\r\nHEUR:Exploit.MSOffice.Generic\r\nMore information about BlackOasis APT is available to customers of Kaspersky Intelligence Reporting Service.\r\nContact: intelreports@kaspersky.com\r\nAcknowledgements\r\nWe would like to thank the Adobe Product Security Incident Response Team (PSIRT) for working with us to\r\nidentify and patch this vulnerability.\r\nReferences\r\n1. 1 Adobe Bulletin https://helpx.adobe.com/security/products/flash-player/apsb17-32.html\r\nIndicators of compromise\r\n4a49135d2ecc07085a8b7c5925a36c0a\r\n89.45.67[.]107\r\nSource: https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/\r\nhttps://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "ETDA", "MITRE" ], "references": [ "https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/" ], "report_names": [ "82732" ], "threat_actors": [ { "id": "10ad5c1d-5030-4300-be4e-6d24b40a6330", "created_at": "2022-10-25T16:07:23.400966Z", "updated_at": "2026-04-10T02:00:04.581114Z", "deleted_at": null, "main_name": "BlackOasis", "aliases": [ "G0063" ], "source_name": "ETDA:BlackOasis", "tools": [ "FinFisher", "FinFisher RAT", "FinSpy", "Wingbird" ], "source_id": "ETDA", "reports": null }, { "id": "5200f27d-0d0a-49e9-a9de-9612971126c2", "created_at": "2023-01-06T13:46:38.959648Z", "updated_at": "2026-04-10T02:00:03.163547Z", "deleted_at": null, "main_name": "BlackOasis", "aliases": [ "G0063" ], "source_name": "MISPGALAXY:BlackOasis", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1ba9c064-34d2-48b5-a08c-04d241b00ebe", "created_at": "2022-10-25T15:50:23.734241Z", "updated_at": "2026-04-10T02:00:05.404606Z", "deleted_at": null, "main_name": "BlackOasis", "aliases": [ "BlackOasis" ], "source_name": "MITRE:BlackOasis", "tools": null, "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434738, "ts_updated_at": 1775791505, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6eed5ac5ef038eda219cea039afd827c26bebee6.pdf", "text": "https://archive.orkl.eu/6eed5ac5ef038eda219cea039afd827c26bebee6.txt", "img": "https://archive.orkl.eu/6eed5ac5ef038eda219cea039afd827c26bebee6.jpg" } }