The newly discovered vulnerability in Adobe Reader and Acrobat that the company is planning to patch next week is being used to install a known Trojan that has been used in attacks against other Adobe vulnerabilities in the past.
Researchers who have analyzed the payload of the attacks against the zero-day in Adobe Reader and Acrobat said that the attacks are using the Sykipot Trojan as part of the payload in the attacks. When successful, the exploit will crash the Adobe application and then open a new document. In the sample analyzed by Brandon Dixon of 9bplus, the document was an employee survey that was targeted at employees of ManTech, a large defense contractor in the U.S.
Dixon found that the JavaScript used in the exploit makes some checks to determine the version number of the software that’s being targeted, but in this case the exploit is looking for version numbers that aren’t valid yet.
“Assuming the version requirements are correct, the main heap spray function is invoked. The final call to “zzzzzzzzzzzz()” appears to be the main spray routine and setup. After the spray is complete, another spray follows with generic padding and then some Adobe specific calls. What is interesting to note are the calls that follow,” Dixon wrote in his analysis.
“A call is made to check whether or not the platform is a Windows machine and then Reader is told to move to page 2. I believe this portion of the code is the trigger for the rendering of the 3D data. Page 2 contains references to the annotations and content of object 11 which defines the 3D data to display (object 10). Without this, I am not certain the vulnerability would be triggered and is likely called manually to ensure enough time was given to spray into memory.”
In another analysis of the malicious file, Mila Parkour of Contagio said that, once installed, the Sykipot malware is communicating with a remote command-and-control server over HTTPS. The same piece of malware was used last year in exploit attempts against a separate Adobe Flash vulnerability.
Adobe in its advisory credited another defense contractor, Lockheed Martin, for reporting the issue. The public mention of Lockheed and the ManTech survey raises the strong possibility that the Adobe vulnerability is being used in targeted attacks against companies in the defense industry right now.