According to a security bulletin released on Thursday, the OS X exploit targets Flash Player in Firefox or Safari via malicious Flash content hosted on websites, while Windows users are targeted with Microsoft Word documents delivered as an email attachments which contain malicious Flash content.
Adobe has also announced its intention of adding new protections against malicious Flash content embedded in Microsoft Office documents to its next feature release of Flash Player.
"To protect users of Office 2008 and earlier, the upcoming release of Flash Player will determine whether Flash Player is being launched within Microsoft Office and check the version of Office. If Flash Player is launched within a version prior to Office 2010, Flash Player will prompt the end-user before executing the Flash content," explained Peleus Uhley, Adobe' platform security strategist.
"Therefore, if an end-user opens a document containing malicious Flash content, the malicious content will not immediately execute and impact the end-user. This extra step requires attackers to integrate a new level of social engineering that was previously not required."
Users who have not enabled automatic updating of Flash can get their updates here or use the in-built updater in the Windows Control Panel or OS X System Preferences.
As a side note - I wonder if Mozilla is now reevaluating its recent decision to enable "Click to Play" in future Firefox release for all versions of all plugins except the current version of Flash?
In the meantime, FireEye researchers have examined the payload executed as a part of the above mentioned attacks spotted in the wild, and have discovered that "even though the contents of Word files are in English, the codepage of Word files are 'Windows Simplified Chinese (PRC, Singapore)'," which might explain the origin of the attacks.
"One of the dropped executable files is digitally signed with an invalid certificate from MGAME Corporation, a Korean gaming company. The same executable renames itself to try to pass itself off as the Google update process," they shared.
The malware assures its persistence on infected computers by adding startup registry entries, checking for present AVs, and it establishes contact with its C&C server.