A joint report was just released that details attacks that have been targeted at government contractors since 2009. The attacks involve phishing emails under the guise of inviting people to conferences.
The report by Seculert and Zscaler, details that the phishing emails contain PDFs that when opened exploit Adobe Reader flaws. These files then install an “MSUpdater” trojan, which does a very good job of posing as a legitimate Windows Update process. What really happens is that the trojan provides backdoor access into the network, giving the attackers unfettered access to very sensitive files, for as long as the trojan remains active.
The report states, “Foreign and domestic (United States) companies with intellectual property dealing in aero/geospace and defense seem to be some of the recent industries targeted in these attacks.” The report does not detail exactly which companies have been involved.
Seculert CTO Aviv Raff tolds Ars Technica they believe these attacks are state sponsored or started by a very high profile group of attackers. Currently the groups responsible for the attacks have not been identified.
The original zero day vulerability in Adobe Reader was patched out in October of 2010 but Raff makes the obvious point that these types of attackers will latch onto another vulnerability very quickly. Both Seculert and Zscaler have said that these types of trojans are sophisticated and difficult to detect. The goal of these attacks seems to be to steal sensitive information.
Zscaler writes, “The malware dropped and launched from the PDF exploit has been seen to be virtual machine (VM) aware in order to prevent analysis within a sandbox. The Trojan functionality is decrypted at run-time, and includes expected functionality, such as downloading, uploading, and executing files driven by commands from the C&C. Communication with the C&C is over HTTP but is encoded to evade detection.”
The fact that these types of trojans are going undetected at companies that house sensitive information is more than a bit unsettling. Hopefully government contractors will work to better detect these types of trojans. More importantly, Adobe should be investigating and patching the vulnerabilities allowing these types of trojans to install themselves in the first place.