Endpoint Protection

 View Only

PDF invoices may cost more than you expect 

Oct 20, 2014 12:45 PM

Contributor: Joseph Graziano

PDF invoices sent over email have become increasingly common in today’s business world. However, that doesn’t mean that there are no complications with the file format. Addressing these invoices without requiring verification from the recipient can lead to a compromised computer with the user’s confidential data in jeopardy.

Over the past week, Symantec has observed a spam campaign involving suspicious emails that masquerade as unpaid invoices. However, these suspicious emails come with a nasty surprise attached in the form of a malicious .pdf file.

Fig1_19.png
Figure 1. Malicious .pdf file attached to suspicious email

While these invoices may appear to be legitimate because the sender’s email address may be associated with a major company, the emails contain spelling errors in the subject line and the body of the email contains just one line of text. Most business emails contain a personal greeting to the recipient and the sender’s signature, but these emails have neither. These signs should serve as warnings to users that the email is not what it claims to be.

The attached .pdf file has malicious shellcode hidden inside of it that will be executed when opened with a vulnerable version of Adobe Reader.

malicious_shellcode.jpg
Figure 2. Shellcode hidden inside malicious .pdf file

The attackers are trying to exploit the Adobe Acrobat and Reader Unspecified Remote Integer Overflow Vulnerability (CVE-2013-2729) by triggering the vulnerability while parsing the crafted Bitmap encoded image.

encrypted_image.jpg
Figure 3. Bitmap encoded image

The embedded shellcode acts as a downloader which downloads a malicious executable file (Infostealer.Dyranges) from a remote location. The downloaded malware attempts to install itself as a service called “google update service” by adding the following registry entry.

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"GoogleUpdate" = “[PATH TO MALWARE]”

If successful, the malware is then able to steal confidential information entered into Web browsers by the user.

Symantec recommends that users exercise caution when opening emails and attachments from unexpected or unknown senders. We also advise that PDF viewers and security software should be kept up-to-date. Symantec detects the malicious .pdf file used in this campaign as Trojan.Pidief.

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Related Entries and Links

No Related Resource entered.