Researchers from security companies Zscaler and Seculert have issued a warning about bogus emails targeting employees of defense-related organizations around the world in order to trick them into installing malware.
“Dear Sir, It is a conference that you may possibly be interested in. More information is attached below,” says in the recent emails. The attached file is a specially crafted PDF that, at first glance, looks like a completely harmless invitation to a relevant industry conference such as the IEEE Aerospace Conference or an Iraq Peace Conference.
But, once downloaded and opened, the file exploits vulnerabilities within Adobe Reader in order to drop and run a Trojan that opens a backdoor into the system.
“The malware dropped and launched from the PDF exploit has been seen to be virtual machine (VM) aware in order to prevent analysis within a sandbox,” explain the researchers. “The Trojan functionality is decrypted at run-time, and includes expected functionality, such as, downloading, uploading, and executing files driven by commands from the C&C.”
“Communication with the C&C is over HTTP but is encoded to evade detection. The Trojan file name (e.g., ‘msupdate.exe’) and the HTTP paths used in the C&C (e.g., ‘/microsoftupdate/getupdate/default.aspx’) are used to stay under the radar by appearing to be related to Microsoft Windows Update.”
According to the researchers’ report, these attacks has been going on since 2009 and are thought to be executed by the same cyber criminal group. The aforementioned example is only the latest incarnation of their approach, and is probably not going to be the last.
The general purpose of the dropped malware is to exfiltrate important information from the companies’ systems, and given the targets, it’s not far-fetched to assume that a nation-station is likely to be behind these attacks.