Adobe Reader Zero-Day Exploit Targets Activists In Spearphishing Attacks


An Adobe Reader zero-day exploit has surfaced in a new wave of attacks targeting activist groups and is dropping an advanced piece of malware, according to researchers analyzing the new threat.

Security researchers at Kaspersky Lab and FireEye issued a report Thursday warning about a new attack campaign they are calling "ItaDuke." The threat has been detected in spearphishing attacks targeting activists in Uyghur in Central Asia and activists in Tibet. The campaign preceded a human rights conference in Geneva this week, according to Kaspersky Lab threat researchers Costin Raiu and Igor Soumenkov.

The PDF exploit, which was detected in a spate of Adobe PDF attacks in February, was repaired by the vendor in a security update issued Feb. 20. The first round of attacks, called MiniDuke by researchers, targeted government agencies in Europe. It was able to thwart security restrictions, including the sandbox technology in Adobe Reader X. While it may have originally been developed by a nation state, the Kaspersky researchers said it can be copied and reused by financially motivated cybercriminals and that may have been the case in the latest attacks.

[Related: SMBs Not Immune To Targeted Attacks]

"This is becoming a common procedure nowadays and we can expect more such piggybacking or exploit-stealing in the future," the Kaspersky researchers said in their analysis of the threat. "It is extremely valuable to any attacker."

The spearphishing messages in the latest attacks use a malicious PDF. Once opened by the victim, the malware executes on the victim's machine using a stolen digital certificate. It drops a backdoor and once communication is made with a command and control server, a remote attacker can gain access to the victim's PC. Kaspersky researchers said some of the techniques built into the attack resemble the Tilded platform used in the Duqu and Stuxnet attacks.

The researchers also said the IP addresses point to a remote server located in China.

"The threat actors behind these attacks are very active and continuously use new methods and new exploits to attack their victims," the Kaspersky researchers said in their analysis of the threat.

Individuals and small and midsize businesses could be at risk of targeted attacks and should assess whether their work or activities would be of interest to cybercriminals, said security experts. AlienVault Labs researcher Jaime Blasco said in his analysis that the latest threat shows that multiple threat actors are using the same exploits.

PUBLISHED MARCH 14, 2013