Couple of weeks ago, Ryan Naraine posted this blog article “Adobe Flash ads launching clipboard hijack attack” which mentions that this threat is cross platform, affecting Windows, Linux and Mac OS X users.
The latest post in Apple Discussion relating to this threat describes:
“my keyboard appears to be taken over and things are typed either in the chat box or in Safari, or basically in any app that is open.”
So, what’s happening here? I curiously investigated the proof-of-concept published by Security researcher Aviv Raff. **The link will automatically execute the code and automatically hijacks your clipboard**
The file responsible for clipboard hijacking is in a Shockwave flash file (.SWF) format. Since most of websites are implementing flash, you can’t imagine how nasty it can go if this threat will get in-the-wild.
Base from the proof-of-concept, the malicious activity was implemented using ActionScript contained in DoABC tag. As far as I understand, the malicious code does not exploit any vulnerability instead it uses a legitimate class linkages, which imports a SymbolClass “test_fla.mainTimeline”.
It’s 1:33am, I’ll update further my analysis tomorrow. Btw, there’s another report but this time, it’s Browser Hijacking, I suppose that this was implemented in SWF as well.
For the meantime, if you’re going to browse and surf the net, please make sure to disable Java, Java Script in Safari Preferences under Security Tab to avoid this threat.
Stay safe online!