Client-Side Vulnerabilities – Adobe Malware attacks targeting
NOTE: If you no longer wish to receive these alerts, send a
reply with “disable”
TO: All Members
DATE ISSUED: October 16, 2014
SUBJECT: Invoice Phishing Spam Campaign Distributing Dyre Banking Trojan
CIS recently became aware of a massive spam campaign targeting
users in various sectors. Phishing emails used in the campaign contains a PDF
attachment named Invoice621785.pdf. This attachment is a weaponized PDF
document exploiting a vulnerability in Adobe Reader (CVE-2013-2729). After
successful exploitation, user’s system will download additional malware from
hxxp://rlmclahore.com/Resources/Search/1510out[.]exe. This is a banking trojan
similar to Zeus/Citadel that it targets sensitive user information including
banking credentials. As of this writing, all of the major AV products are
detecting this malware as Tojan Dyre/Zbot/Fondu.
Phishing Email Characteristics:
"Unpaid invoic” [Please note the typo in the subject line]
System Level Indicators (If successful in exploitation):
itself under C:\Windows\[RandomName].exe
a Service named ""Google Update Service” by setting the following
"Google Update Service"
Network Level Indicators:
First Stage Download:
Second Stage C2
Please note that the Domain and IP indicators above were observed
during our analysis and the list does not represent all network indicators for
We also noted that the network communication is using a
certificate with organization name “internet widgits pty ltd”.
Run all software as a non-privileged user (one without
administrative privileges) to diminish the effects of a successful attack.
Do not open email attachments from unknown or untrusted
Limit user account privileges to those required only.
Remind users not to visit untrusted websites or follow
links provided by unknown or untrusted sources.
Keep all operating system, applications and essential
software up to date to mitigate potential exploitation by attackers.
Ensure that systems are hardened with industry-accepted
Make sure all AV products are up-to-date with their
Implement filters at your email gateway for filtering
out emails with subject line “Unpaid invoic”. [Note the typo]
Center for Internet Security (CIS)
Multi-State Information Sharing & Analysis Center (MS-ISAC)
31 Tech Valley Drive
East Greenbush, NY 12061
Phone: (518) 266-3485
7x24 SOC: 1-866-787-4722