NEWS FROM THE LAB - Thursday, January 21, 2010

Targeted Attack Using "Operation Aurora" as the Lure Posted by Mikko @ 15:15 GMT

Now here's an interesting turn of events.

In the middle of all the attention to the "Operation Aurora" attacks, we're now seeing new targeted attacks that are using this very event as the lure to get the targets to open a malicious attachment!

Here's the e-mail we saw (the mail was forged to look like it came from gwu.edu):

   From: david████@gwu.edu
   Date: Wed, 20 Jan 2010 09:26:24
   To: (email addresses of the targets)
   Subject: Chinese cyberattack
   Attached is a short piece I just wrote for the Far Eastern Economic Review about Chinese cyberattack.
   I hope you find it interesting.
   If you have any good idea / comments, are warmly welcome to feedback.
   Attachment: .pdf Chinese cyberattack.pdf

The attachment Chinese cyberattack.pdf (md5: 238ecf8c0aee8bfd216cf3cad5d82448) is a PDF file which exploits the CVE-2009-4324 vulnerability in Adobe Reader (again, this is the one which was patched last week).

The exploit drops and runs a backdoor called Acrobat.exe (md5: 72170fc42ae1ca8a838843a55e293435). We detect this as W32/PoisonIvy.NQ. The PDF is detected as Trojan.Script.256073.