Adobe Reader vulnerabilities are often exploited by cybercriminals to drop malware onto their targets’ computers. Experts have identified a number of advanced persistent threat (APT) campaigns that rely on such security holes.
Trend Micro researchers have analyzed several APT campaigns and have found that at least three of them rely on the CVE-2013-0640 vulnerability to distribute malware. This exploit is widely known because it has been used in the MiniDuke campaign.
One of the campaigns that use the PDF exploit is Zegost. Experts have identified PDF documents, written in Vietnamese, that are very similar to the files used in the MiniDuke attacks.
The dropped files and data are similar, their number is similar, and their purposes are also very much the same. However, the payload dropped in the Zegost attacks isn’t connected in any way with the MiniDuke malware payload.
Another series of malicious PDFs have been identified in PlugX campaigns. Cybercriminals, possibly not related to each other, have attempted to drop various versions of PlugX on the computers of users from Japan, India and South Korea.
While there have been some similarities between the Zegost and the MiniDuke operations, experts say these PlugX attacks are different.
“Our research indicates that attackers engaged in APT campaigns may have adapted the exploit made infamous by the MiniDuke campaign and have incorporated it into their arsenal,” explained Nart Villeneuve, senior threat researcher at Trend Micro.
“At the same time, we have found that other APT campaigns seem to have developed their own methods to exploit the same vulnerability. The increase in malicious PDF’s exploiting CVE-2013-0640 may indicate the start of shift in APT attacker behavior away from using malicious Word documents that exploit the now quite old CVE-2012-0158.”