Here’s a short movie to demonstrate the attack
The dropped malicious file will subsequently trigger the download of an infected file from remote locations (the samples analyzed by BitDefender would attempt to connect to http://210.[removed].214/img/ and download a file called xslu.exe). A secondary DLL is also dropped in the %windows%system32 folder (overwriting a system file) and injected into an instance of SVCHOST.EXE. Once it is set in place, the dll file acts as a backdoor and starts sending critical information about the infected system to a remote server.
The info include the local IP address, the DHCP server (if enabled), the SubNetMask, the Default Gateway, as well as the CPU type and its frequency. Some OS details are also collected, such as the User Information and administrators group, the Last Update Patches, Network Resources, Installed Applications, Installed Services and Browser Information
Please note that Adobe labeled the vulnerability as critical and it affects the following applications:
- Adobe Flash Player 10.0.45.2 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
- Adobe Reader and Acrobat 9.x for Windows, Macintosh and UNIX operating systems (because of the authplay.dll sub-component shipped with both applications).
As of the moment of writing, there is no vendor patch to mitigate the attack. In order to stay safe, we advise users to install and update a complete antimalware solution and manifest extra caution when opening PFD files that may come either as attachments, or as web-links in mail and IM messages.