We haven't come across many malicious PDF files recently inour spam traps, so when we found this message, ostensibly from VodafoneDeutschland, we naturally took a closer look.
In this example, the cyber crooks are targeting VodafoneDeutschland customers by spamming a fake billing statement. The message claimsto be from Vodafone-OnlineRechnung@vodafone.com.The spam may look harmless at first, especially given the links in the messagepoint to the real Vodafone.de website. But the attached PDF file is indeeddangerous.
I tested the attached PDF file against PDFScore (a tool developed by our colleague Rodrigo Montoro a.k.a Sp0oKeR) and it showed a number of suspect elements inside the file. You may check out Rodrigo's presentation about "Scoring PDF Structure To Detect Malicious Files" at SOURCE 2012 in Seattle: http://www.youtube.com/watch?v=qNlZiB2wnEM
The malicious PDF file was crafted to exploit the Libtiffvulnerability (CVE-2010-0188) in Adobe Reader 9.3 and earlier. The exploit crashes Adobe Reader and executes the attacker'smalicious code.
Here's the code which is easier on the eyes:
And here's the full HEXdecoded shellcode, notice a couple of URLs below:
The shellcode's ultimate intention is to download a coupleof malicious file from the internet.
GET /stuff/corduroyshop/corduroyshop.exe Host:rocketmou.se (126.96.36.199:80)GET /mapa/images/mapa.exeHost: coachplay.co.il (188.8.131.52:80)
Both files are exactly the same executable from differentURLs, perhaps for redundancy reasons. The malware is known as Bublik or Bebloh – a banking Trojan. https://www.virustotal.com/file/ffee98ae73c293f9fc4b2ab6076c64ad84256546cc97cb8eb572201d4a27c0d6/analysis/
The Bublik/Bebloh Trojan's payload connected to a commandand control server and gathered email addresses in the infected machine byquerying the WAB (Windows Address Book) registry. It disabled the Windows LUA(Least Privileged User Account) to run all applications (including the malwareitself) as Administrator. It also changed the default browser to InternetExplorer in order to monitor the user's internet browsing habits and onlinebanking.
Here's a TCP stream capture of the Trojan communicating to itscommand & control server at Trisi[.]net (184.108.40.206)
TheWHOIS info of the Trojan's command & control server domain name shows that itwas just created recently last 15th of November, hmmm interesting!
Inconclusion, sometimes it's quite hard to distinguish legitimate and maliciousemail and this spam campaign is an example. But if you're a Vodafone customer in Germany who regularly receives monthly bill statement through email, there is a high chance of being sucked in and opening the attached PDF file.
Fortunately,if you have the latest Adobe Reader XI installed in your computer, the exploitinside the malicious PDF file will be rendered useless. Better yet, use an alternative PDF reader.
Customers of Trustwave MailMarshal Secure Email Gateway are protected against this threat.