Victims are lured with a generic phishing email whose text is very similar to spam messages. In an example provided by FireEye the bait used was an offer for a refurbished iMac system certified by Apple, with a discount between $200 and $450 (€180 – €400); the email further enticed the recipient with availability of one-year extendable warranty for the product.
Clicking on the provided link redirected to a server with scripts that checked if the visitor’s computer was worth compromising. If it presented no interest, the user would receive non-harmful content; otherwise, the victim was served malicious SWF and FLV files. The vulnerability exploited in the attack is a heap buffer overflow, now identified as CVE-2015-3113.
FireEye says that the attack code relies on common vector corruption techniques to get past the Address Space Layout Randomization (ASLR) protection from buffer overflow events; it also relies on a new ROP (Return-Oriented Programming) technique to bypass Data Execution Prevention (DEP) and other protection mechanisms, such as ROP detection.
Phishing, and by extension spear-phishing, remains the most widely used attack vector for one very simple reason: to this day it remains very easy to find one unsuspecting person at a target organization to open the malicious attachment. If the exploit is a zero-day, the likelihood of cyber defense measures detecting the malware are almost zero. This is why attackers love phishing.