Trojan.Flemex exploits flaw in Excel with embedded Flash object [UPDATED]

New malware description from Symantec is located at
securityresponse.symantec.com/avcenter/venc/data/trojan.flemex.html.

Reportedly the payload itself is that Trojan

“may launch a Web browser, directing the user to a potentially malicious Web site, or run potentially malicious JavaScript”.

At time of writing there is no information about other write-ups published yet.

The size of PoC-type sample Excel file is 18 432 bytes.

It is very likely that public code of this vulnerability posted to mailing list was used to generate this new Trojan.

I.e. it appears that we have a new type of Trojan exploiting unpatched code execution Excel vulnerability (let’s say 1st Excel vulnerability) described at FAQ document using technics published later in so-called 3rd Excel vulnerability. The newest Excel vulnerability is related to embedded Shockwave Flash Object described (see link earlier). PoC is available at author’s Web site too.
I’ll update this writing when new information is available.

UPDATE #20:15 UTC: The newest revision of Symantec description says vulnerability being exloited is BID18583, i.e. the newest so-called 3rd Excel vulnerability. It appears that their first analysis was erroneous.
New information available states there are no connections between the first and third Excel vulnerability.

Share