The attack starts with a legitimate-looking PDF file

Sep 13, 2012 09:18 GMT  ·  By

Researchers have analyzed an interesting piece of malware called Page. They have found that the critical limited edition malware is masqueraded as a PDF file and sent out to companies from the aviation defense industry.

When victims open the apparently-innocent PDF file, they’re presented with an invitation to an upcoming industry event – a fact which clearly shows that the attacks are designed to specifically target the defense sector.

In the meantime, while the user unsuspectingly views the invitation, a vulnerability in collab.hetlcon() is exploited to create and execute a file.

Once it is executed, the file drops a DLL, which opens a backdoor at TCP port 49163 and initiates network communications, Fire Eye experts have explained in a blog post.

While there’s nothing really innovative in the way this malware works, it’s a clear indication that cybercriminals are focusing their efforts on penetrating organizations from the defense industry.