Asruex Trojan exploits old Office, Adobe bugs to backdoor your system

The malware’s selection of old vulnerabilities highlights a patching issue worldwide.

Data-stealing malware returns upgraded with cryptominer and trojan Large parts of the Scranos operation were taken out in April - but it's already back and the criminals behind it seem more determined than ever, adding a trojan and a cryptojacker to their adware scheme.

An Asruex variant which specifically uses old Microsoft Office and Adobe vulnerabilities to infect systems has been spotted by researchers.

Asruex first appeared in 2015. The Trojan originally used malicious shortcut files, sent to organizations, which downloaded a dropper for the Asruex payload hidden in an image file to compromise corporate networks. 

The malware has previously been associated with DarkHotel, an advanced persistent threat (APT) group known for targeting the hotel and service industry. 

These cyberattackers utilize a range of attack vectors, including the misuse of stolen certificates, the use of .HTA files and the infiltration of hotel Wi-Fi networks. 

On Thursday, researchers from Trend Micro said the new Asruex variant, discovered in malicious .PDF files used in phishing campaigns, makes use of CVE-2012-0158 and CVE-2010-2883

See also: Cybersecurity: This trojan malware being offered for free could cause hacking spike

CVE-2012-0158 is a critical bug impacting Microsoft Office. Reported in 2012, the vulnerability can be exploited to conduct remote code execution (RCE) attacks via system state corruption. 

CVE-2010-2883, an even older security flaw disclosed in 2010, is an Adobe Reader and Acrobat stack buffer overflow issue which can be utilized to execute arbitrary code or cause a denial of service. 

Asruex exploits these vulnerabilities to compromise systems running old versions of the software on Windows and Mac machines, despite patches having been made available for years. 

"Because of this unique infection capability, security researchers might not consider checking files for an Asruex infection and continue to watch out for its backdoor abilities exclusively," Trend Micro says. 

CNET: Google removes 200 YouTube channels over Hong Kong misinformation

The .PDF file sample was not, itself, malicious, but rather was a carrier of an Asruex infection. If opened by an old version of Reader and Acrobat, the content of the file is displayed normally but the malware will begin running in the background. Infected Word files will also act in the same way. Asruex may also appear as a standard executable.

screenshot-2019-08-23-at-08-47-20.png

Once executed on a target system, Asruex will check system data including running processes, module versions, file names, and certain strings in disk names to ascertain whether or not the malware is running in a sandbox environment. 

If the PC passes these checks, the malware's backdoor is installed and data theft can begin. Asruex may also be used for ongoing, covert surveillance.

TechRepublic: Why hackers still impersonate Microsoft more than any other company

"This case is notable for its use of vulnerabilities that have been discovered (and patched) over five years ago, when we've been seeing this malware variant in the wild for only a year," Trend Micro says. "This hints that the cybercriminals behind it had devised the variant knowing that users have not yet patched or updated to newer versions of the Adobe Acrobat and Adobe Reader software."

A new Trojan, discovered by Zscaler ThreatLabZ researchers, has also recently been making the rounds. Earlier this month, the team said the new malware strain, dubbed Saefko, is being sold in underground forums and contains a range of tools for the theft of bank details, online gaming accounts, and cryptocurrency wallets. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0