Categories

Exploits

Email-borne exploits: the not-so innocuous killers targeting small business

Update (05/21/2014): As previously suspected, other reports also support that CVE-2013-2729 is being used in malicious PDFs).

Email remains a widely used infection vector that mostly relies on social engineering a victim to click on a link or execute an attachment.

As far as malicious attachments go, the majority are zipped executables that often use the double extension trick (i.e. Invoice.doc.exe) and will directly infect a user’s PC as soon as they are ran.

But there’s another type of malicious attachments, one that we seldom hear about, that may deceive a lot of people and sneak by your antivirus: regular documents that have been exploited.

Just a couple of days ago, we spotted a new wave of spam emails spewing malicious PDF files. The decoy, which purports to be an invoice, is directly attached to an email targeting small businesses:

email

or a more generic fake Amazon invoice:

amazon_spam

All it takes for the infection to propagate is a double-click on the PDF (April invoice 332741.pdf - Order details 749-3004132-4433411.pdf) and a vulnerable version of Adobe Reader (version 11.0 was used in this test).

readerversion

This is a two-step exploitation, with first a fake error message (JavaScript):

exploit_pdf_pre

which leads to the actual exploit (CVE-2013-2729). If you have information, please share):

exploit_PDF

Let’s have a (quick) look at the underlying structure for this exploit: shellcode, heap spray

shellcode

chunky

(Update 05/12/14)

The shellcode contains the URL that the exploit will contact to download the malicious payload. We can extract it using pdf-parser from Didier Stevens:

dump_shellcodeThen use a tool (Converter from Kahu Security) to convert Unicode to EXE:

converterAnd finally view the URL with PE Insider:

hex

This is what happens if you open the PDF with a vulnerable version (click to enlarge):

procmon

Adobe Reader downloads dr-gottlob-institut . de/11.exe (91aa1168489a732ef7a70ceedc0c3bc9), which in turn downloads pgalvaoteles . pt/111(91d33fc439c64bd517f4f10a0a4574f1):

fiddler

It is worth noting that both files have ‘Adobe Reader themed’ icons:

file_icons

The dropped files download many additional pieces of malware: the infamous ZeuS banking Trojan, CryptoLocker as well as other threats as seen in this Malwarebytes Anti-Malware scan report:

MBAM

But, as with all malware, prevention is better than cure. Our Malwarebytes Anti-Exploit product is able to stop this threat before it can do damage:

exploit_blocked

The threat is blocked as soon as the user opens up the malicious document, preventing malicious code from ever entering their PC.

Perhaps this type of threat became a little more well-known with the recent Microsoft Word Zero-Day (CVE-2014-1761) embedded in RTF documents that could exploit a system and download remote code, showing that not all exploits stem from browsing booby-trapped websites.

Here’s why exploit protection is also a better solution in this case: malicious documents typically have much lower detection rates than traditional malware binaries (notice how the bad guys didn’t even bother zipping the attachment).

There are more chances for a malicious PDF to make its way past the spam filters and more chances for the user to open it (don’t we all open PDFs from our inbox without thinking twice?).

Also, while you may want to send attachments to online scanning services such as VirusTotal, would you really want to upload and share with the world private contracts, invoices, etc?

It would be very interesting to know the infection rates between malicious documents and malware binaries. While the former do rely on the user’s machine being outdated, that factor is counter-balanced by the inherent trust in documents (Word, Excel, PDF, etc).

To mitigate these attacks, always make sure that your operating system is up-to-date as well as all the browsers and their respective plugins.

Of course, there will always be Zero-Days that make this recommendation useless, which is why exploit protection is more and more crucial.

@jeromesegura


  • Pingback: New Security Risks | TWIST3D.NET

  • Pingback: A Week in Security (May 4 – 10) | Malwarebytes Unpacked

  • Giulio Bilato

    They send to you a file .zip and when you open the e-mail and the file .zip it open winzip or winrar and it extract a word file and injects the virus identificable . DON’T INSERT ANY PASSWORD OUT OF YOUR USER PASSWORD FOR ENTER INTO WINDOWS.

  • https://www.facebook.com/andreesito.ferralees Andreesito Ferralees

    And me thinking CryptoLocker was vanished out of our computers… WHY IT HAD TO COME BACK?!?!?!

  • http://eternal-todo.com Jose Miguel Esparza

    Hi!

    I have also analyzed these PDF documents with peepdf and I can say that they are exploiting the CVE-2013-2729 vulnerability (Adobe Reader BMP/RLE heap corruption vulnerability). They copied the PoC written by Felipe Manzano and modified it. You can see the PDF analysis here:

    http://eternal-todo.com/blog/cve-2013-2729-exploit-zeusp2p-gameover

    Maybe you can take a look at peepdf to analyze PDF documents. It can be useful because you don’t need more than one tool to perform the analysis ;)

    Cheers!

    Jose

  • Jérôme Segura

    Hi Jose Miguel Esparza,

    Thanks for the technical details regarding the vulnerability used.
    I’ll check out peepdf next time I need to reverse a PDF ;-)

Subscribe to our YouTube Channel