Malicious PDF’s that where attached to messages sent in November have been confirmed by Symantec’s security researchers this week as exploits intended for defense contractors and other businesses.
Symantec’s Joshua Talbot reported that the exploit on Adobe Reader’s unpatched flaw have been sent to various people coming from defense, chemical, manufacturing, computer hardware and telecommunications companies.
The company went through security detectors in its global network to trace email messages that have malicious PDF attachments and found exploited emails sent on the first and fifth of November 2011.
Adobe has already published a warning for users of its Acrobat and Reader products. It recognized the Defense Security Information Exchange or DSIE as well as the security response team from Lockheed Martin for the information regarding the attackers targeting the “zero-day” bug found in Windows PCs.
DSIE form part of companies that are also members of the Defense Industrial Base (DIB). General Dynamics, Pratt & Whitney and Raytheon, Boeing, Northup Grumman and Lockheed Martin are among the biggest defense contractors in the United States that are members of DIB.
The malicious email is about a 2012 guide to policies regarding awards for new contracts. The attached PDF accordingly contains sample pitches that can be used by the email recipient; aiming to lure victims to open the attached document. Once the exploited file is opened, the malicious code is also executed. This code comes in a malformed 3D graphics data that is concealed within the document, which enables hackers to infect the PC with malware.
According to Talbot, the malware used in this recent exploit is similar to what was used by hackers in a 2010 attack dubbed as Sykipot. Last year’s exploit targeted an unpatched bug found in Microsoft’s Internet Explorer versions six and seven. Talbot added that the general-purpose backdoor Sykipot is interesting in a way that the malware utilizes an encryption for the stolen information making it hide what it exactly stole.
Symantec suspects that the Sykipot hackers are the same attackers responsible for the Reader exploits.
Adobe said that it will patch the flaws for Acrobat and Reader 9.x in Windows in the following weekend. For all other platforms, patches are expected next month.