An Asruex variant which specifically uses old Microsoft Office and Adobe vulnerabilities to infect systems has been spotted by researchers.
Asruex first appeared in 2015. The Trojan originally used malicious shortcut files, sent to organizations, which downloaded a dropper for the Asruex payload hidden in an image file to compromise corporate networks.
The malware has previously been associated with DarkHotel, an advanced persistent threat (APT) group known for targeting the hotel and service industry.
These cyberattackers utilize a range of attack vectors, including the misuse of stolen certificates, the use of .HTA files and the infiltration of hotel Wi-Fi networks.
CVE-2012-0158 is a critical bug impacting Microsoft Office. Reported in 2012, the vulnerability can be exploited to conduct remote code execution (RCE) attacks via system state corruption.
CVE-2010-2883, an even older security flaw disclosed in 2010, is an Adobe Reader and Acrobat stack buffer overflow issue which can be utilized to execute arbitrary code or cause a denial of service.
Asruex exploits these vulnerabilities to compromise systems running old versions of the software on Windows and Mac machines, despite patches having been made available for years.
"Because of this unique infection capability, security researchers might not consider checking files for an Asruex infection and continue to watch out for its backdoor abilities exclusively," Trend Micro says.
The .PDF file sample was not, itself, malicious, but rather was a carrier of an Asruex infection. If opened by an old version of Reader and Acrobat, the content of the file is displayed normally but the malware will begin running in the background. Infected Word files will also act in the same way. Asruex may also appear as a standard executable.
Once executed on a target system, Asruex will check system data including running processes, module versions, file names, and certain strings in disk names to ascertain whether or not the malware is running in a sandbox environment.
If the PC passes these checks, the malware's backdoor is installed and data theft can begin. Asruex may also be used for ongoing, covert surveillance.
"This case is notable for its use of vulnerabilities that have been discovered (and patched) over five years ago, when we've been seeing this malware variant in the wild for only a year," Trend Micro says. "This hints that the cybercriminals behind it had devised the variant knowing that users have not yet patched or updated to newer versions of the Adobe Acrobat and Adobe Reader software."
A new Trojan, discovered by Zscaler ThreatLabZ researchers, has also recently been making the rounds. Earlier this month, the team said the new malware strain, dubbed Saefko, is being sold in underground forums and contains a range of tools for the theft of bank details, online gaming accounts, and cryptocurrency wallets.
Previous and related coverage
- New Saefko Trojan focuses on stealing your credit card details, crypto wallets
- Facebook abused to spread Remote Access Trojans since 2014
- This phishing campaign uses an odd tactic to infect Windows PCs with two forms of trojan malware
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0