PDF exploit is not that common in recent years especially with the introduction of Protected Mode that adds sandbox protection. However, the CVE-2013-0640 exploits were the first known attacks that can bypass the sandbox of Protected Mode in Reader XI and Acrobat XI for Windows (Protected View is not enabled by default for these versions), and cause the application to crash and potentially allow an attacker to take control of the affected system.
Earlier this month, Xecure Lab captured the CVE-2013-0640 PDF exploit in an APT email attack. The malicious PDF was disguised in the form of datasheet, wrapped in rar and further protected with password. The password of "1234567890" was provided in the email body for the target to open it easily.
So in this APT operation, the adversary did the following jobs:
1. embeds CVE-2013-0640 in a pdf
2. rar the files (as well as the filenames)
3. password protecting it
4. social engineering in a sales pitch context - giving out datasheet and brochure
The end result looks very promising, it successfully by-pass the VirusTotal and 45 antivirus check.
Xecure Lab picks up this APT email with our unique static APT DNA detection engine that requires no sandbox nor virus patterns. For deeper binary analysis, identified APT binaries are passed to virtual sandbox XecScan (http://scan.xecure-lab.com).
The C2 server is located at ftpdown . narllab . com
Fully report of XecScan can be found as below.
If you are interested in leveraging our XecScan API in your product or service, please write us! benson at xecure-lab dot com