Security Researcher have come across a Spam email that leads to a malware page which delivers the PDF exploit(CVE-2009-0927). The campaign seems to be targeting the aviation defense Industry.
If the recipient open the malicious PDF file, it opens a fake document and displays an invitation to an actual defense industry event. In the background, it exploits the PDF vulnerability.About CVE-2009-0927:A stack-based buffer overflow vulnerability in the Adobe Reader and Adobe Acrobat before 9.1, 8 before 8.1.3 , and 7 before 7.1.1 allows remote attackers to execute arbitrary code via a crafted argument to the getIcon method of a Collab object "Collab.getIcon()".
If the victim's machine has the vulnerable version , then shellcode inside the pdf will start to execute. The shellcode creates a file and run "evtmgr.exe in the Temp folder .
The exe file drops another dll file called mssrt726.dll which performs network communication and opens the backdoor at TCP port 49163.
Image may be NSFW.
Clik here to view.
Clik here to view.
