Kaspersky announced in a blog post that it was the one notifying Adobe of the availability of an exploit in the wild for a vulnerability that urged the release of the latest security patch for Flash Player.
The technical analysis performed by the security company revealed that a total of 11 exploits had been found, all of them consisting of unpacked SWF files embedded in DOCX for different versions of Flash.
Although specifically created for the Windows platform (XP, Vista, 2003 R2, 2003, 7, 7×64, 2008 R2, 2008, 8, and 8×64), some of them were encountered on a machine running Mac OS 10.6.8.
By the IP addresses, the affected users appear to be from China, although the documents had Korean names.
According to Kaspersky, only one of the exploits included an executable file, “a primitive downloader [identified by Kaspersky as Trojan-Downloader.Win32.Agent.hdzh] which downloads several files encrypted using Microsoft CryptoAPI from a level 3 domain (thirdbase.bugs3.com).”
From the above-mentioned server, the researchers at Kaspersky (Alexander Polyakov and Anton Ivanov) managed to extract another two executables crafted to steal mailbox passwords and extract login data and send it over to three command and control servers.
The programs targeted include Thunderbird, Foxmail, Opera, Firefox, Safari, IncrediMail, Pidgin, while some of the login pages are from email providers (Mail.ru, Google, AOL, Yahoo, Live, GMX) as well as Twitter, Facebook, Yandex, and QIP.