NEWS FROM THE LAB - Thursday, January 21, 2010

Intelligence Sector Hit by a Targeted Attack Posted by Mikko @ 14:52 GMT

We just blogged about a highly targeted attack against military contractors.

Now we saw one against the intelligence sector.

This attack was done with a PDF file. Again.

It was targeting the CVE-2009-4324 vulnerability. Again.

When opened, the PDF file (md5: c3079303562d4672d6c3810f91235d9b) looked like this:


What really happens in the background? Just like last time, the exploit code drops a backdoor in a file called Updater.exe (md5: 02420bb8fd8258f8afd4e01029b7a2b0).

Now, what is the document talking about? President's day? DNI Information Sharing Environment? We don't know, but a quick web search tells us that apparently there is going to be an Intelligence fair & expo in Germany next month.


Hmm. The Agenda looks awfully familiar.

We detect the files as Exploit.PDF-JS.Gen and Trojan-Spy:W32/Agent.NBZ.