PDF exploit is getting hot, watch out for CVE-2013-2729

There are at least three hot document exploits shooting around on this season, mainly disguised in the form of .doc and .pdf document. Earlier this month, we identified an interesting PDF file, pretty fresh, it's the CVE-2013-2729 exploit, which was recently patched by Adobe on May 14, http://www.adobe.com/support/security/bulletins/apsb13-15.html. The first security advisory of this exploit was released by http://www.binamuse.com, it's a specially crafted BMP file that can bypass ASLR and DEP!


The CVE-2013-2729 sample we received earlier this month was disguising in an email context about analytic reports on China's president Xi Jinping. The attached pdf contained exploit and malware, and could bypass antivirus detection.

a glance at the PDF

When we detect this APT email (actually there are three instances of this wave of attacks, all using similar malware), we further dumped into our XecScan engine to get detail reports, the c2 ip is pointing to update . pushbike . tw (For full report, check out here: http://d.pr/i/jDml )

Birdman and Benson, Xecure Lab