Posts tagged Reader
As mentioned by Symantec & Seculert, a spear phishing campaign has involved a fake Mandiant APT1 PDF report, a report published by Mandiant earlier this week (APT1: Exposing One of China’s Cyber Espionage Units). This fake PDF was used in targeted attacks against Japanese entities and exploiting code for Adobe Acrobat and Reader Remote Code Execution Vulnerability (CVE-2013-0641).
Despite the analysis of Symantec, I can confirm you that the PDF is dropping malware onto the computer.
PDF file name is “Mandiant.pdf” with 2a42bf17393c3caaa663a6d1dade9c93 hash (23 / 46 on VirusTotal). Once opened an error message is displayed.
After ignoring this error message the vulnerability is exploited and drop “AdobeARM.exe” (41915b34fc50ffdd2a6a0969e3f55ff1) in “C:\Documents and Settings\<USER>\Local Settings\Temp” Windows folder. Chinese simplified ressource language is used for this executable.
“AdobeARM.exe” is connecting to domain name “www.shounkaku.co.jp“, a legit website, and to folder “/space/fsjd-ge3234c4d61033.gif“. The file is actually no more existing.
Interesting strings in “AdobeARM.exe” are “Hello from MFC!” (Military Force of China ?).
Here under a demonstration video of the exploitation.
FireEye team has report a new Adobe Reader and Acrobat zero day exploited in the wild. This new 0day allow exploitation of the latest Adobe PDF Reader 9.5.3, 10.1.5, and 11.0.1 with sandbox bypass. In the information’s provided on FireEye blog post, it seem that two DLLs are dropped by the malicious PDF and that fake error message appears.
Adobe has acknowledge a potential vulnerability in his latest PDF Reader through a post on PSIRT (Product Security Incident Response Team) blog.
In the screenshot provided by FireEye, who don’t provide a lot of details, we can see a call to a “/index.php” page, which will potentially mean that the PDF 0day is streamed from the PHP file. Also we can observe that the involved user agent is MSIE 7 (aka Internet Explorer 7) under windows NT 5.1 (aka Windows XP).
According to a post on threatpost.com:
Attackers are using malicious PDFs posing as an application for an international travel visa to exploit a zero-day vulnerability in Adobe Reader and Acrobat.
Happy 0day Hunting
Despite the lack of information’s, after some researches yesterday night, I found the following file “Visaform Turkey.pdf” (f3b9663a01a73c5eca9d6b2a0519049e).
— Eric Romang (@eromang) 13 février 2013
And through other researches, we found at 10pm the supposed C&C server aka “http://bolsilloner.es/index.php“.
“Visaform Turkey.pdf” was submitted on VirusTotal the 2013-02-11 and was recognized as “HEUR:Exploit.Script.Generic” at this time. This file was also submitted on malware tracker the 2013-02-12 and you can find some interesting information in this submission. Also the same file was submitted the 2013-02-13 to Wepawet. C&C server was submitted to jsunpack the 2013-02-13 without any associate outputs.
Adobe Security Advisory APSA13-02
Adobe PSIRT has release a security advisory APSA13-02 regarding two vulnerabilities CVE-2013-0640 (base CVSS score of 9.3) and CVE-2013-0641 (base CVSS score of 9.3) in Adobe Reader and Acrobat XI (11.0.01 and earlier), X (10.1.5 and earlier) and 9.5.3 and earlier for Windows and Macintosh. Also this security advisory confirm the exploitation of these vulnerabilities in targeted attacks through spear phishing campaign. Adobe is working on the issue and will provide updated versions asap. Affected softwares are:
- Adobe Reader XI (11.0.01 and earlier) for Windows and Macintosh
- Adobe Reader X (10.1.5 and earlier) for Windows and Macintosh
- Adobe Reader 9.5.3 and earlier 9.x versions for Windows, Macintosh and Linux
- Adobe Acrobat XI (11.0.01 and earlier) for Windows and Macintosh
- Adobe Acrobat X (10.1.5 and earlier) for Windows and Macintosh
- Adobe Acrobat 9.5.3 and earlier 9.x versions for Windows and Macintosh
Regarding Adobe security advisory, the vendor recommend, for users of Adobe Reader XI and Acrobat XI for Windows, as workaround to enable “Protected View“. To enable this setting, choose the “Files from potentially unsafe locations” option under the Edit > Preferences > Security (Enhanced) menu. The problem is that despite “Protected Mode” is activated, and as discussed on Twitter with @artem_i_baranov, and also mentioned by Ars Technica, “Protected View” is off when using the default version.
According to the documentation of “Protected View“:
When Protected View in enabled, PDFs are displayed in a restricted environment called a sandbox.
So it means, that by default sandbox is deactivated during display of PDFs.
Also Mac OS X users, and Linux users are not protected by this workaround who is only available for Windows.
Sophos has release a screenshot of the “Visaform Turkey.pdf” file and additional informations.
“Visaform Turkey.pdf” Sample Analysis
Based on the poor sample we found on malware tracker (please re-enable the download functionality !), we started to analyse it.
First interesting information:
It could be that the “Protected Mode” could be bypassed via pdf properties. After some researches it doesn’t seem linked.
Second interesting information: The date in the document appear to be f****ng old !!!! (2012-11-08).
Third sHOGG function is used to decrypt a bunch of variables in the code.
By using this function on certain variables, we can confirm that the following Adobe Readers were targeted:
Also some special cases, for some specific languages and only with Reader 9.502 or 10.104, are forced.
I also can confirm that the code is heavily obfuscated with bunch of variable and functions names in Italian, like “dIAVOLO”, “bENEDETTO”, “sENTIRSI”, “aPPARENZA”, “fISAMENTE”, “pRESUNSI”, “cOCOLLE”, “sCHIUMA”, “pENITENZA”, etc.
Regarding different sources, files dropped by the PDF:
- “L2P.T” (3a2547af14b5621f43481a70f32ccef3). Analysis on VirusTotal.
- “LangBar32.dll” (97777F269AE807891DAC4B388C66A952). Analysis on VirusTotal.
- “Visaform Turkey.pdf” (F475A43D374334197099ADA17720EB00). Analysis on VirusTotal.
- “D.T” (CB33E97F46A219804DDB373FF982D694). Analysis on VirusTotal.
I will keep you in touch, in this post, if I have any additional information’s.
Adobe has release, the 8 January 2013, during his January Patch Tuesday, one Adobe Reader and Acrobat security bulletin dealing with 27 vulnerabilities. All these security bulletins have a Critical severity rating. 26 of these vulnerabilities have a 10.0 CVSS base score.
APSB13-02 - Security updates available for Adobe Reader and Acrobat
APSB13-02 is concerning :
- Adobe Reader XI (11.0.0) for Windows and Macintosh
- Adobe Reader X (10.1.4) and earlier 10.x versions for Windows and Macintosh
- Adobe Reader 9.5.2 and earlier 9.x versions for Windows and Macintosh
- Adobe Reader 9.5.1 and earlier 9.x versions for Linux
- Adobe Acrobat XI (11.0.0) for Windows and Macintosh
- Adobe Acrobat X (10.1.4) and earlier 10.x versions for Windows and Macintosh
- Adobe Acrobat 9.5.2 and earlier 9.x versions for Windows and Macintosh
CVE-2013-0601 (10.0 CVSS base score), CVE-2013-0602 (10.0 CVSS base score), CVE-2013-0605 (10.0 CVSS base score), CVE-2013-0606 (10.0 CVSS base score), CVE-2013-0607 (10.0 CVSS base score), CVE-2013-0608 (10.0 CVSS base score), CVE-2013-0609 (10.0 CVSS base score), CVE-2013-0610 (10.0 CVSS base score), CVE-2013-0611 (10.0 CVSS base score), CVE-2013-0612 (10.0 CVSS base score), CVE-2013-0613 (10.0 CVSS base score), CVE-2013-0614 (10.0 CVSS base score), CVE-2013-0615 (10.0 CVSS base score), CVE-2013-0616 (10.0 CVSS base score), CVE-2013-0617 (10.0 CVSS base score), CVE-2013-0618 (10.0 CVSS base score), CVE-2013-0619 (10.0 CVSS base score), CVE-2013-0620 (10.0 CVSS base score) and CVE-2013-0621 (10.0 CVSS base score), that could lead to code execution, have been discovered and reported by Mateusz Jurczyk and Gynvael Coldwind of the Google Security Team.
CVE-2013-0623 (10.0 CVSS base score), that could lead to code execution, has been discovered and reported by Alexander Gavrun through iDefense’s Vulnerability Contributor Program and by David D. Rude II of iDefense Labs.
CVE-2013-0624 (10.0 CVSS base score), that could bypass security, has been discovered and reported by Billy Rios, Federico Lanusse and Mauro Gentile.
CVE-2013-0626 (10.0 CVSS base score), that could bypass security, has been discovered and reported by an unknown security researcher.
CVE-2013-0627 (7.2 CVSS base score), that could lead to local privilege escalation, has been discovered and reported by Myke Hamada, Joost Bakker, Anand Bhat and Timothy McKenzie.
The August version of KaiXin was supporting:
- CVE-2011-3544 : An Oracle Java vulnerability fixed during October 2011 CPU.
- CVE-2012-0507 : An Oracle Java vulnerability fixed during February 2012 CPU.
- CVE-2012-1723 : An Oracle Java vulnerability fixed during June 2012 CPU.
- CVE-2012-0754 : An Adobe Reader vulnerability fixed in APSB12-03.
- CVE-2012-1889 : An Microsoft XML Core Service vulnerability fixed in MS12-043.
November version of KaiXin has involve by removing support of Oracle Java CVE-2012-0507 and CVE-2012-0754 vulnerabilities, and adding support of Oracle Java CVE-2012-1723 (fixed in Jun 2012 CPU), of Oracle Java CVE-2012-4681 (fixed in End August Oracle Security Alert) and of Oracle Java CVE-2012-5076 (fixed in October 2012 CPU).
Here under a VirusTotal analysis of all involved files:
- gS19tbEF.jpg (eef74c38121c225ab4d7f1d2bbb0369a) – 9/46 : CVE-2011-3544
- lXjOhqg.jpg (16e2c0a9f6636f9698e4dbe2f56551a9) – 22/46 : CVE-2012-1723
- obDb9.jpg (ac8085d9ec48770511c82065d6947eb7) – 27/41 : CVE-2012-4681
- MMWYD.jpg (684acb532179d99733273b79c4382b39) – 5/46 : CVE-2012-5076
- WysBRr.html (f018e5adf65c0841e58ba9c69703e6d4) – 6/45 : CVE-2012-1889
- JSZlR.html (7282d761c60541ad3edf7e480807bcb6) – 3/46 : CVE-2012-1889
- rar.css (c11b39439a1eda6923feefcad3993d22) – 18/43 : HEUR:Trojan.Win32.Generic
- top.html (13a5c097c74012a6f16fe9a866bee74e) – 2/46 : KaiXin.A