New Uyghur and Tibetan Themed Attacks Using PDF Exploits
On Feb 12th 2013, FireEye announced the discovery of an Adobe Reader 0-day exploit which is used to drop a previously unknown, advanced piece of malware. We called this new malware “ItaDuke” because it reminded us of Duqu and because of the ancient Italian comments in the shellcode copied from Dante Alighieri’s “Divine Comedy”.
Previously, we posted about another campaign hitting Governments and other institutions, named Miniduke, which was also using the same “Divine Comedy” PDF exploits.
In the meantime, we’ve come by other attacks which piggyback on the same high level exploit code, only this time the targets are different: Uyghur activists.
Together with our partner at AlienVault Labs, we analyzed these new exploits. For their blog, which includes Yara rules and industry standard IOC’s, please read [here]. For our analysis, please read below.
The new attacks
A few days ago, we observed several PDF files which carry the CVE-2013-0640/641 (ItaDuke) exploits. Some of the MD5s and filenames include:
7005e9ee9f673edad5130b3341bf5e5f 2013-Yilliq Noruz Bayram Merik isige Teklip.pdf d00e4ac94f1e4ff67e0e0dfcf900c1a8 ÁLÃûÐÅ.pdf (joint_letter.pdf) ad668992e15806812dd9a1514cfc065b arp.pdf
The Kaspersky detection name for these exploits is Exploit.JS.Pdfka.gjc.