A couple of days after a PoC exploit code for a critical flaw in Adobe Reader and Acrobat was discovered (which Trend Micro detects as EXPL_PIDIEF.A), TrendLabs has received reports of Trojan-downloading PDF files making rounds in email inboxes. And yes, the said malicious PDFs use the exploit code. Incidentally, Adobe has just released a patch for this flaw about a day ago, so it seems that the malware authors are banking on the idea that most Reader and Acrobat users haven’t downloaded and installed the critical update yet.
Based on the initial analysis of Senior Threat Researcher Ivan Macalintal, the PDF files bear “business-sounding” file names such as YOUR_BILL.PDF or INVOICE.PDF. Once it successfully exploits the Adobe vulnerability, it proceeds to disable the Windows firewall, downloads an .EXE file, and steals information from the affected system.
Ivan further notes that the servers and file names used by this malware are the same as those used by the VML exploit attacks September last year, and are related to the CWS, Snifula, and UrSnif attacks in the past. In addition, it seems that the spammed messages carrying the malicious PDFs are from the Russian Business Network (see related blog entry here and an interesting article from The Washington Post here). Again.
Trend Micro detects the PDF file as EXPL_PIDIEF.B, and the downloaded .EXE file as TSPY_PAPRAS.CF.