PDF Hole Used in APT Attacks

Wednesday, May 1, 2013 @ 02:05 PM gHale

Whether users install a patch or not, attackers like to jump on Adobe Reader vulnerabilities to drop malware onto their targets’ computers.

Quite a few advanced persistent threat (APT) campaigns are now relying on those very security holes.

Reader PDF Tracking Bug
Adobe Patches Platforms
Adobe Fixes 4 Flash Flaws
Flash, Reader, Java Fall in Contest

At least three APTs rely on the CVE-2013-0640 vulnerability to distribute malware, said researches at Trend Micro. This exploit remains well known because it saw use in the MiniDuke campaign.

One of the campaigns that use the PDF exploit is Zegost. Experts identified PDF documents, written in Vietnamese, that are very similar to the files used in the MiniDuke attacks.

The dropped files and data are similar, their number is similar, and their purposes are also very much the same. However, the payload dropped in the Zegost attacks isn’t connected in any way with the MiniDuke malware payload.

Another series of malicious PDFs were in the PlugX campaigns. Cyber criminals, possibly not related to each other, have attempted to drop various versions of PlugX on the computers of users from Japan, India and South Korea.

While there have been some similarities between the Zegost and the MiniDuke operations, the researchers said these PlugX attacks are different.

“Our research indicates that attackers engaged in APT campaigns may have adapted the exploit made infamous by the MiniDuke campaign and have incorporated it into their arsenal,” said Nart Villeneuve, senior threat researcher at Trend Micro.

“At the same time, we have found that other APT campaigns seem to have developed their own methods to exploit the same vulnerability. The increase in malicious PDF’s exploiting CVE-2013-0640 may indicate the start of shift in APT attacker behavior away from using malicious Word documents that exploit the now quite old CVE-2012-0158.”

Leave a Reply

You must be logged in to post a comment.