Email-borne exploits: the not-so innocuous killers targeting small business

Email-borne exploits: the not-so innocuous killers targeting small business

Update (05/21/2014): As previously suspected, other reports also support that CVE-2013-2729 is being used in malicious PDFs).

Email remains a widely used infection vector that mostly relies on social engineering a victim to click on a link or execute an attachment.

As far as malicious attachments go, the majority are zipped executables that often use the double extension trick (i.e. Invoice.doc.exe) and will directly infect a user’s PC as soon as they are ran.

But there’s another type of malicious attachments, one that we seldom hear about, that may deceive a lot of people and sneak by your antivirus: regular documents that have been exploited.

Just a couple of days ago, we spotted a new wave of spam emails spewing malicious PDF files. The decoy, which purports to be an invoice, is directly attached to an email targeting small businesses:

email

or a more generic fake Amazon invoice:

amazon_spam

All it takes for the infection to propagate is a double-click on the PDF (April invoice 332741.pdf – Order details 749-3004132-4433411.pdf) and a vulnerable version of Adobe Reader (version 11.0 was used in this test).

readerversion

This is a two-step exploitation, with first a fake error message (JavaScript):

exploit_pdf_pre

which leads to the actual exploit (CVE-2013-2729). If you have information, please share):

exploit_PDF

Let’s have a (quick) look at the underlying structure for this exploit: shellcode, heap spray

shellcode
chunky

(Update 05/12/14)

The shellcode contains the URL that the exploit will contact to download the malicious payload. We can extract it using pdf-parser from Didier Stevens:

dump_shellcode

Then use a tool (Converter from Kahu Security) to convert Unicode to EXE:

converter

And finally view the URL with PE Insider:

hex

This is what happens if you open the PDF with a vulnerable version (click to enlarge):

procmon

Adobe Reader downloads dr-gottlob-institut . de/11.exe (91aa1168489a732ef7a70ceedc0c3bc9), which in turn downloads pgalvaoteles . pt/111(91d33fc439c64bd517f4f10a0a4574f1):

fiddler

It is worth noting that both files have ‘Adobe Reader themed’ icons:

file_icons

The dropped files download many additional pieces of malware: the infamous ZeuS banking Trojan, CryptoLocker as well as other threats as seen in this Malwarebytes Anti-Malware scan report:

MBAM

But, as with all malware, prevention is better than cure. Our Malwarebytes Anti-Exploit product is able to stop this threat before it can do damage:

exploit_blocked

The threat is blocked as soon as the user opens up the malicious document, preventing malicious code from ever entering their PC.

Perhaps this type of threat became a little more well-known with the recent Microsoft Word Zero-Day (CVE-2014-1761) embedded in RTF documents that could exploit a system and download remote code, showing that not all exploits stem from browsing booby-trapped websites.

Here’s why exploit protection is also a better solution in this case: malicious documents typically have much lower detection rates than traditional malware binaries (notice how the bad guys didn’t even bother zipping the attachment).

There are more chances for a malicious PDF to make its way past the spam filters and more chances for the user to open it (don’t we all open PDFs from our inbox without thinking twice?).

Also, while you may want to send attachments to online scanning services such as VirusTotal, would you really want to upload and share with the world private contracts, invoices, etc?

It would be very interesting to know the infection rates between malicious documents and malware binaries. While the former do rely on the user’s machine being outdated, that factor is counter-balanced by the inherent trust in documents (Word, Excel, PDF, etc).

To mitigate these attacks, always make sure that your operating system is up-to-date as well as all the browsers and their respective plugins.

Of course, there will always be Zero-Days that make this recommendation useless, which is why exploit protection is more and more crucial.

@jeromesegura

ABOUT THE AUTHOR

Jérôme Segura

Principal Threat Researcher