We haven’t come across many malicious PDF files recently in our spam traps, so when we found this message, ostensibly from Vodafone Deutschland, we naturally took a closer look.
In this example, the cyber crooks are targeting Vodafone Deutschland customers by spamming a fake billing statement. The message claims to be from Vodafone-OnlineRechnung@vodafone.com. The spam may look harmless at first, especially given the links in the message point to the real Vodafone.de website. But the attached PDF file is indeed dangerous.
I tested the attached PDF file against PDFScore (a tool developed by our colleague Rodrigo Montoro a.k.a Sp0oKeR) and it showed a number of suspect elements inside the file. You may check out Rodrigo's presentation about "Scoring PDF Structure To Detect Malicious Files" at SOURCE 2012 in Seattle: http://www.youtube.com/watch?v=qNlZiB2wnEM
The malicious PDF file was crafted to exploit the Libtiff vulnerability (CVE-2010-0188) in Adobe Reader 9.3 and earlier. The exploit crashes Adobe Reader and executes the attacker’s malicious code.
Here’s the code which is easier on the eyes:
And here’s the full HEX decoded shellcode, notice a couple of URLs below:
The shellcode's ultimate intention is to download a couple of malicious file from the internet.
GET /stuff/corduroyshop/corduroyshop.exe Host:rocketmou.se (18.104.22.168:80) GET /mapa/images/mapa.exe Host: coachplay.co.il (22.214.171.124:80)
Both files are exactly the same executable from different URLs, perhaps for redundancy reasons. The malware is known as Bublik or Bebloh – a banking Trojan. https://www.virustotal.com/file/ffee98ae73c293f9fc4b2ab6076c64ad84256546cc97cb8eb572201d4a27c0d6/analysis/
The Bublik/Bebloh Trojan’s payload connected to a command and control server and gathered email addresses in the infected machine by querying the WAB (Windows Address Book) registry. It disabled the Windows LUA (Least Privileged User Account) to run all applications (including the malware itself) as Administrator. It also changed the default browser to Internet Explorer in order to monitor the user’s internet browsing habits and online banking.
Here’s a TCP stream capture of the Trojan communicating to its command & control server at Trisi[.]net (126.96.36.199)
The WHOIS info of the Trojan’s command & control server domain name shows that it was just created recently last 15th of November, hmmm interesting!
In conclusion, sometimes it’s quite hard to distinguish legitimate and malicious email and this spam campaign is an example. But if you’re a Vodafone customer in Germany who regularly receives monthly bill statement through email, there is a high chance of being sucked in and opening the attached PDF file.
Fortunately, if you have the latest Adobe Reader XI installed in your computer, the exploit inside the malicious PDF file will be rendered useless. Better yet, use an alternative PDF reader.
Customers of Trustwave MailMarshal Secure Email Gateway are protected against this threat.