Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Mass Malicious PDF Email Campaigns from Cutwail

Over the last two weeks we have noticed a high number of emails with PDF attachments in our spam traps, which is unusual. These campaigns spanned several days, and originated from the Cutwail botnet, well known for spamming out malicious executable file attachments, but not necessarily PDFs. Clearly this warranted a closer look.

Here is an example of one of the messages:

9123_4adae7a7-d12a-430a-a80a-bf54ae181a37

To examine the PDF attachment, the pdfid.py tool from Didier Stevens in the REMnux environment was used to quickly highlight the file's contents.

9783_6c3c56bf-b38a-4b88-a4dd-d2c174084d72

The /XFA object was of interest. XFA stands for XML Forms Architecture, and allows for the inclusion of interactive forms in a PDF document that allow a user to enter data. It also happens to support Javascript, and as such the bad guys love hiding code here. Using another tool in REMnux, pdf-parser.py, enables us to search the PDF file using the –s flag to find the / XFA object, which we can see references object 1.

12028_d59d94d1-8c69-4242-879a-4db229854b9d

Looking at object 1 in the raw file shows that it is stream object, with a bunch of data compressed with the FlateDecode (Fl) filter.

9032_474fd82a-fa46-478b-a8bd-df7476ea4462

Pdf-parser.py can decompress this using its –f option, which reveals the XML code and embedded Javascript:

10620_92085713-3be9-4de7-815f-465fc4da172f

The decompressed output was huge, at over 90MB, and most of this appeared to be a large embedded image file.

12763_f7cecc06-bfbc-4081-8834-64d6d77f31c9

Importing this Base64 code into 010 Hex Editor reveals the nature of the image, a bitmap with a repeating byte pattern.

12195_de91ab60-107c-4727-afc5-bc1a81c232f8

At this stage we have a strong idea that this file is trying to exploit a known Adobe Reader vulnerability (CVE-2013-2729). This bug is triggered when Adobe Reader parses a bitmap (BMP) RLE encoded file embedded in an interactive PDF form. The BMP file makes use of these repeated bytes '\x00\x02\xff\x00' to exploit the vulnerability. Javascript within the XML is then used to execute code. (A detailed technical account of the vulnerability and exploit code can be found here).

The Javascript was run through jsbeautifier to make it look pretty. Below is a relevant code snippet that bears an uncanny resemblance to publically available proof-of-concept code.

12037_d61d36d5-59ff-42cf-a331-ef9444750ad6

Another PDF from a similar campaign a few days before showed similar, but not identical, results. The earlier example showed less obfuscation and is almost a direct cut & paste from existing proof-of-concept code. This is interesting because it shows the authors of the PDF document were experimenting with added obfuscation in later campaigns.

 

12880_fdb00659-d5b6-4b3a-9ee9-4650ccc8564b

We tried running this malicious PDF (md5:2897c57b2f3e02412c89b6bf44e6643d) in the lab, but while it crashed Adobe Reader, it did not lead to any other malware installation. However, the folks at MalwareBytes recently analyzed a similar sample, and found payloads of Zeus and Cryptolocker. This is consistent with what we have seen from Cutwail recently.

To sum up, in a break from normal behavior, the Cutwail botnet spammed out large volumes of malicious PDFs targeting a known vulnerability in Adobe Reader. (CVE-2013-2729). The actors behind this campaign appear to be playing with code obfuscation in the file, most likely in an effort to bypass anti-virus. Alongside the PDF campaigns, Cutwail continued to pump out spam with malicious executable attachments as normal. So the PDF campaigns were perhaps an experiment. As I finish writing this, the PDFs attachments appear to have dried up – a failed experiment perhaps, or can we expect more in the future?

As usual, patching is important, ensure PDF reader software is kept up to date. Also, try and block this stuff at the gateway - the Trustwave Secure Email Gateway blocked these malicious spam campaigns up-front.

Latest SpiderLabs Blogs

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More