PDF Flaws Abused within APT Attacks, States Trend Micro

Cyber-criminals frequently exploit vulnerabilities in Adobe Reader for planting malicious software onto people's PCs, say security researchers from Trend Micro the Internet security company. These researchers indicate that they've detected several APT (advanced persistent threat) scams, which utilize the said vulnerabilities.

The Trend Micro experts, after analyzing a number of APT scams, discovered that a minimum of 3 such scams abused the CVE-2013-0640 security flaw for disseminating malicious software. The exploit gained much popularity following its utilization within the MiniDuke attack.

A particular scam among the three, which abuses a Portable Document File (PDF) flaw, has been given the name Zegost. In this, the PDF documents have been identified and found that their text was in Vietnamese language. The documents bear much similarity with files that were utilized within the MiniDuke campaign.

There's similarity in the malware planted as also data, with their numbers too matching, while the objectives are also identical. But the payload planted while carrying out the Zegost campaign bears no connection whatsoever with the malicious payload of MiniDuke, Trend Micro outlines.

The company also identified one more sequence of malevolent Portable Document Files utilized within PlugX scams. These mayn't be strictly inter-related. Moreover, the attacks targeted entities traced to India, South Korea and Japan.

The PlugX scams too abuse the CVE-2013-0640 flaw; however, they're separate from the 'Zegost' or 'MiniDuke' attacks. These as well plant data and files, which nonetheless are dissimilar with those of MiniDuke and Zegost. The total count of files dropped, too bear varied objectives.

Senior Threat Researcher Nart Villeneuve at Trend Micro blogged that the company's analysis showed that perpetrators of APT scams might've taken the exploit, which had become notorious during the MiniDuke assaults, to include it within the armory they maintained. Simultaneously, other APT scams appeared as having own techniques for abusing the same flaw. And as the number of malevolent PDFs abusing the CVE-2013-0640 vulnerability was increasing, it showed the shift of the APT attackers originally utilizing malevolent Word files, which abused the currently pretty ancient CVE-2012-0158 flaw, to PDF documents, the researcher wrote. Blog.trendmicro.com published this dated April 29, 2013.

Related article: PDF Spam: a Nuisance, Not a Threat, Yet

» SPAMfighter News - 5/4/2013