Research

Adobe yet again

Vulnerabilities continue to be detected and successfully exploited in Adobe’s most popular products – Acrobat and Reader.

Some days ago we received an interesting PDF file (detected as Exploit.JS.Pdfka.bui) which contained an exploit for the CVE-2010-0188 vulnerability, which was originally discovered back in February in Acrobat/Reader version 9.3 and earlier.

The first thing that catches the eye is the intentionally malformed TIFF image inside the PDF file.

Adobe yet again

The vulnerability – a buffer overflow – manifests itself when the field containing the image is accessed. The attack is carried out using ‘heap spraying’, a technique popularly used by many exploits on products capable of running JavaScript code, the recent Aurora attack being a good example of this technique in action.If the vulnerability mentioned above is exploited successfully, the return address is overwritten with the predefined address 0xC0C0C0C0. This being where the code controlled by cybercriminals is located.

Adobe yet again

After this it jumps to an address containing a shellcode, which initially decrypts its body and then the executable file, which is also embedded into the original PDF file.

Adobe yet again

The decrypted executable file (detected as Backdoor.Win32.Agent.aqoj) is written into the root folder of the C: drive and launched. Its purpose is to send data about the victim’s computer to a remote server and download other malicious files to the infected machine.

Adobe was quick to release an update for the affected products. However, this won’t deter the cyber criminals because, as past experience shows, users are slow to update their machines and the bad guys won’t hesitate to exploit the vulnerability in the meantime. In order to avoid this infection and others like it, we strongly recommend installing the latest updates for Acrobat and Reader.

Adobe yet again

Your email address will not be published. Required fields are marked *

 

Reports

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Andariel evolves to target South Korea with ransomware

In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. After a deep analysis, we came to a conclusion: the Andariel group was behind these attacks.

Operation TunnelSnake

A newly discovered rootkit that we dub ‘Moriya’ is used by an unknown actor to deploy passive backdoors on public facing servers, facilitating the creation of a covert C&C communication channel through which they can be silently controlled. The victims are located in Africa, South and South-East Asia.

Subscribe to our weekly e-mails

The hottest research right in your inbox