While things had been quiet, we were quite certain that the gang behind Trojan.Hydraq hadn't gone away. It looks like they are back, as we've been seeing evidence of their attacks since January, including an attack I’d like to talk about below.
A PDF malware sample exploiting a critical Adobe zero-day vulnerability was reported in the wild a few days ago. In this post we want to provide more information about this in-the-wild malware and the attack rather than the vulnerability itself.
A public report of the PDF malware seen in the wild showed a social engineered email with following properties:
Subject “David Leadbetter’s One Point Lesson”
Sent date: “Monday, September 06, 2010 8:01 AM”
Attachment: Golf Clinic.pdf (Md5: 9c5cd8f4a5988acae6c2e2dce563446a)
The PDF file attached to the email exploits the Adobe Reader 'CoolType.dll' TTF Font Remote Code Execution Vulnerability (BID 43057). It uses a technique known as return-oriented programming (ROP) to bypass Data Execution Prevention (DEP), using code in the icucnv36.dll module. This module is not compatible with Address Space Layout Randomization (ASLR), so the module will be loaded in the same virtual address space every time the reader loads it. DEP & ASLR are mitigation strategies designed in an operating system to prevent exploitation.
Once successfully exploited, the malware drops a DLL downloader component in the %Temp% folder with the file name hlp.cpl, which downloads additional malware. The hlp.cpl file has five exports, whose functionality is self explanatory from their names, shown below:
- DeleteMySelf
- DownloadFile
- IsAdmin
- MakeAndShowEgg
- Startup
The file also had a valid digital certificate, signed by a stolen digital certificate, shown in the image below:
The certificate has a validity date of 10/25/2009 to 10/26/2010. The signing time wasn’t available.
One interesting observation to note is that the decoy PDF the malware opens after exploitation is located at the appended data of this executable. This, and the DLL export function naming of this malware, proves that it was meant to be used along with the PDF exploit and not signed to be as a generic downloader. However, this does not necessarily prove that the vulnerability was known, since it was signed. The social engineering content in the email below is close to the first reported sample discussed above, but with some minor differences.
Furthermore, the emails below date back even further, to September 1st, 2010, with various subjects.
If the above emails look familiar, it is because their style is very similar to the emails used in Hydraq (Aurora) attacks. In addition, the use of a zero-day within a PDF, and how the executable is dropped on the system, all match the Hydraq method of operation. Furthermore, we have seen a large number of detections of unique versions of the PDF—not yet seen elsewhere in the wild—coming from a single computer in the Shandong Province of China, which is how far back investigators were able to trace the Hydraq attacks.
All of these similarities could be coincidental, but these attacks appear to be from the same perpetrators. The PDFs inside all the above emails exploit the same Adobe zero-day vulnerability and each drop similar downloader components, but with different decoy PDFs. Some had different URLs to download additional malware.
This leads us to think that the exploit was in the wild at least as early as September 1st, 2010. Symantec detects all of the malware components and the exploit PDFs. The malicious emails were successfully blocked and marked as malware by Symantec Hosted Services (MessageLabs). The exploit PDFs are detected as Bloodhound.PDF!gen1 and as Bloodhound.Exploit.357. As always, keep your antivirus, IPS, and IDS signatures up to date and exercise caution when dealing with PDF files (in fact, with any kind of email). If possible, we also advise disabling JavaScript support in your PDF reader.