While things had been quiet, we were quite certain that the gang behind Trojan.Hydraq hadn't gone away. It looks like they are back, as we've been seeing evidence of their attacks since January, including an attack I’d like to talk about below.
A PDF malware sample exploiting a critical Adobe zero-day vulnerability was reported in the wild a few days ago. In this post we want to provide more information about this in-the-wild malware and the attack rather than the vulnerability itself.
A public report of the PDF malware seen in the wild showed a social engineered email with following properties:
Subject “David Leadbetter’s One Point Lesson”
Sent date: “Monday, September 06, 2010 8:01 AM”
Attachment: Golf Clinic.pdf (Md5: 9c5cd8f4a5988acae6c2e2dce563446a)
The PDF file attached to the email exploits the Adobe Reader 'CoolType.dll' TTF Font Remote Code Execution Vulnerability (BID 43057). It uses a technique known as return-oriented programming (ROP) to bypass Data Execution Prevention (DEP), using code in the icucnv36.dll module. This module is not compatible with Address Space Layout Randomization (ASLR), so the module will be loaded in the same virtual address space every time the reader loads it. DEP & ASLR are mitigation strategies designed in an operating system to prevent exploitation.
Once successfully exploited, the malware drops a DLL downloader component in the %Temp% folder with the file name hlp.cpl, which downloads additional malware. The hlp.cpl file has five exports, whose functionality is self explanatory from their names, shown below:
The file also had a valid digital certificate, signed by a stolen digital certificate, shown in the image below:
The certificate has a validity date of 10/25/2009 to 10/26/2010. The signing time wasn’t available.
One interesting observation to note is that the decoy PDF the malware opens after exploitation is located at the appended data of this executable. This, and the DLL export function naming of this malware, proves that it was meant to be used along with the PDF exploit and not signed to be as a generic downloader. However, this does not necessarily prove that the vulnerability was known, since it was signed. The social engineering content in the email below is close to the first reported sample discussed above, but with some minor differences.
Furthermore, the emails below date back even further, to September 1st, 2010, with various subjects.
If the above emails look familiar, it is because their style is very similar to the emails used in Hydraq (Aurora) attacks. In addition, the use of a zero-day within a PDF, and how the executable is dropped on the system, all match the Hydraq method of operation. Furthermore, we have seen a large number of detections of unique versions of the PDF—not yet seen elsewhere in the wild—coming from a single computer in the Shandong Province of China, which is how far back investigators were able to trace the Hydraq attacks.
All of these similarities could be coincidental, but these attacks appear to be from the same perpetrators. The PDFs inside all the above emails exploit the same Adobe zero-day vulnerability and each drop similar downloader components, but with different decoy PDFs. Some had different URLs to download additional malware.