More evidence is beginning to emerge that the Adobe Reader zero-day bug revealed recently is being used in targeted attacks against companies and federal agencies. Researchers recently have come across fresh samples of malware exploiting the vulnerability by using files crafted to draw in employees of federal contractors and other related organizations.
The new attacks are using a previously unknown command-and-control server and are leveraging the Reader vulnerability to download a binary that will in turn inject a malicious DLL into several running processes if they’re found on the compromised machine, according to research by Alien Vault Labs.
If the malware finds one of the running processes it’s interested in–Outlook, Internet Explorer or Firefox–it will then inject the DLL into the process and the binary will create a PDF file that supposedly contains travel reimbursement rates for some unnamed organization. Once that’s done, it will reach out to a remote C&C server.
“The injected DLL will contact XXXhksrv.hostdefence.net/asp/kys_allow_get.asp?name=getkys.kys to download an encrypted configuration file. This file contains several commands that the victim will execute on the sending the results back to the C&C server,” Alien Vault’s analysis says.
The domain thayt’s hosting the C&C server is located in China.
The instrument of compromise in these attacks is the Sykipot Trojan, a known piece of malware that’s been used in the past to exploit other Adobe vulnerabilities. Previously identified attacks against this latest Reader and Acrobat vulnerability have been using a PDF that purports to be an employee survey for workers at ManTech, a large defense contractor in the U.S. And in its advisory on the vulnerability, Adobe credited Lockheed Martin for reporting the flaw in the first place.