Background of the Attack

In a recent spam run, messages purporting to be an IT notification targeted several companies worldwide. The social engineering tactic may be old, but the use of a malicious .PDF file that leverages an inherent Adobe Reader and Acrobat feature makes this threat noteworthy.

What happens in this attack?

Users receive spammed messages purporting to be IT notification emails with a specially crafted .PDF attachment. The sample .PDF files are detected as TROJ_KATUSHA.F and TROJ_PIDIEF.ZAC. The routines of these malware are then exhibited on the affected system.

How do the related malware get into the users' system?

Once users open the malicious .PDF file detected as TROJ_PIDIEF.ZAC, it uses the PDF /launch feature to call on the embedded script batscript.vbs. The script file, detected as VBS_EMOTI.A, drops and executes a worm component named game.exe detected as WORM_EMOTI.A, which connects to possibly malicious URLs. The worm component also carries the rootkit file bp.sys detected as RTKT_EMOTI.A to possibly hide its malicious routines and to prevent itself from being discovered by the user.

How does it trick users into opening the attachment?

The email informs the recipients that their mailbox settings have been changed. It also tells users that the .PDF attachment contains the instructions that users need to read before updating their settings. Users who wish to learn more about the supposed changes might then open the malicious attachment.

Why is the attack noteworthy?

There have been several threats documented on the Malware Blog that use specially crafted .PDF files. However, most of these typically leverage Adobe Reader and Acrobat vulnerabilities to gain access to user systems. In this particular threat, the specially crafted .PDF successfully executes malware on the affected system by merely utilizing the legitimate PDF /launch feature, typically used to run applications or open embedded files.

So what can I do to protect my computer?

It is important that users exercise caution in opening email messages and downloading attached files. Spammed messages typically come from unknown senders. However, spammers also find ways to trick users into opening the message by making it appear as though the message came from a legitimate sender such as the company’s IT department. In cases like these, users need to pay closer attention to details such as the sender’s email address and the properties of the attached file. It would also be wise to directly contact department representatives to verify the authenticity of the email.

To further mitigate similar attacks, Adobe recommends changing the Adobe Reader and Acrobat setting to disallow the opening of non-PDF attachments, until a more permanent solution is provided. Administrators can also make certain changes in the registry settings to prevent users from turning the capability on.

Trend Micro™ Smart Protection Network™ can block the spam used in this attack via the Email reputation technology. It can detect and prevent the execution malicious files via the File reputation service. Malicious URLs are also blocked through the Web reputation service.

Non-Trend Micro product users can also stay protected via HouseCall, a free tool that identifies and removes all kinds of viruses, Trojans, worms, unwanted browser plug-ins, and other malware from affected systems.