There has been a spate of spear-phishing attacks against a number of high-profile targets in the last few months, including RSA and others, and that trend is continuing unabated. Researchers have come across a fresh attack using the familiar malicious PDF attachment that appears to be targeting users in the defense industry.
The latest attack is using a decoy PDF that exploits a vulnerability in JavaScript to install some malware on the victim’s machine. The fake PDF that the attack employs is an advertisement for the call for papers for a defense-industry conference at the Naval Postgraduate School in California, according to an analysis by F-Secure researchers.
“When opened in Adobe Reader, it exploits a known Javascript vulnerability and drops a file called lsmm.exe. This is a backdoor that connects back to the attacker, who is waiting at IP addresses 59.7.56.50 and 59.19.181.130,” F-Secure’s Mikko Hypponen wrote.
“After this, a decoy PDF file is shown to the end user. The decoy is a call for papers for 2012 AIAA Strategic and Tactical Missile Systems Conference, which is a US conference classified as SECRET.”
These kinds of attacks have become an effective tool in the arsenal of attackers who are looking either to go after a user in one specific company or to get as many victims as possible in a short amount of time. The RSA attack was the most well-publicized of these attacks, but there have been a number of others in recent months as well, and they tend to follow a set pattern that involves doing some reconnaissance on a potential target, finding attractive topics for the email and crafting a message that appears to be from a trusted source.
The defense industry in the U.S. has been a frequent target of attacks of late, including incidents at Lockheed Martin, IRC Federal and Booz Allen Hamilton.