The ZeuS/ZBOT malware continues to uphold its notorious reputation. As we have seen in the past, ZBOT variants steal account credentials when users visit various social networking, online shopping, and bank-related websites.
Another social engineering tactic that has been employed by ZeuS/ZBOT perpetrators is the use of .PDF files. Specially crafted .PDF files have been used as a vehicle for malware propagation by exploiting different vulnerabilities discovered in Adobe Reader and Acrobat.
Recently, however, we spotted a specially crafted .PDF file that drops a ZBOT variant without exploiting a vulnerability. Instead, this malicious file exploits a legitimate Adobe Reader feature. The said feature is the /launch function in the PDF specification, as security researcher Dieder Stevens demonstrated in his blog. This function allows a portable document author to attach an executable file and, via social engineering, trick users to save and run the embedded file.
Trend Micro currently detects the specially crafted .PDF file as TROJ_PIDIEF.UTA. The said file arrives as an attachment to a spammed message supposedly from “Royal Mail.” The email body states that a mail it tried to deliver was not received and that the attached Royal_Mail_Delivery_Invoice_1092817.pdf is a notification for the delivery invoice.
Upon opening the malicious .PDF file, however, Adobe Reader and Acrobat will prompt the user that the file contains a potential security risk and that he/she must only allow the program to execute if it came from a trusted source. The said prompt is a legitimate feature of Adobe Reader and Acrobat, which triggers the dropping of the ZBOT variant. Clicking the Open button executes the malicious embedded file. This dropped file is detected by Trend Micro as TSPY_ZBOT.NCT. To further trick the user into thinking the file is legitimate, the .PDF file contains a calendar that helps hide its routines from the user.
Adobe is currently conducting research on how to mitigate this security hazard. As a precaution, however, users of Adobe Reader and Acrobat can change the program settings to disable the execution of attachments in portable documents. This can be done by the following these steps:
- In Adobe Reader and Acrobat, click Edit menu then click Preferences.
- In the Trust Manager Category, uncheck Allow opening of non-PDF file attachment with external applications box.
Trend Micro protects users from this attack via the Smart Protection Network™, which blocks user access to all malicious URLs via the Web reputation service and detects all related malware via the file reputation service.