Malicious PDF used in APT attacks exploiting new variants of CVE-2012-0754

Xecure Lab has discovered a new CVE-2012-0754 Flash player exploit variant being used in recent APT activities. The earliest version came from a Word document named "Iran's Oil and Nuclear Situation.doc" (see Mila's blog), where the embedded Flash codes would download an MP4 file from a remote server that contains the actual exploit codes for triggering the Flash bug. Today, the new variant we found is a malicious PDF and the MP4 is self-contained in the PDF!



















With our public APT scanning service, XecScan, more details could be dumped, and we conclude that this malware is a new variant of "傻B" (so called SB family), which is a very popular APT family hitting Taiwan.

MD5: 3a6ada48300612121d2761be291d0514
File name: 請各單位注意豪雨特報.pdf
The command and control IPs are from US and UK:
74.218.110.38  (United States)

IP Address	Country	Region	City	ISP
74.218.110.38	United States	Virginia	Herndon	Road Runner Holdco Llc

78.31.108.43 (United Kingdom)

IP Address	Country	Region	City	ISP
78.31.108.43	United Kingdom	England	Guildford	Memset Ltd

To all Adobe Flash users, please update your Adobe Flash player now! http://www.adobe.com/support/security/bulletins/apsb12-03.html