PDF Exploit Invites you to the Nobel Prize

An invitation to the Nobel Peace Prize awards is a difficult thing to ignore. That was exactly what cyber-thugs had in mind when a recent “Nobel invitation” scam (dated the 7th of November) was initiated.

More to the point, the victim receives a spoofed e-mail with an invitation to the Nobel Prize ceremony of Liu Xiaobo that looks like this:

Pretty convincing, isn’t it?

The e-mail comes with an attachment that is the “formal invitation” to the event. And it is this “formal invitation” that bears further “surprises” for the victim to be. The moment the PDF file disguised as a righteous invitation is opened, it immediately triggers a PDF exploit (detected by BitDefender® as Exploit.PDF-TTF.Gen) in order to decrypt and drop three components:

    –  iso88591 that contains the payload;

    – svchost.exe (identified by BitDefender as Trojan.Dropper.Agent.VCS) that will drop a file in c:windowsmidimap.dll. Since there is another legit midimap.dll file located in the system32 folder, any application calling functions from the original DLL will actually call the malicious dll file which has a shorter path. This technique is called DLL hijacking and will cause all programs that need to play a sound (including media players, instant messenger clients, browsers and the like) to trigger the malicious code;

     –    a clean PDF file with an invitation meant to trick the victim into further believing into the legitimacy of the e-mail.

After the malicious files have been set in place, the infected PDF file terminates Adobe® Reader® and restarts it to display the contents of the         clean PDF. This way, the user is lead into believing that everything went just as described in the message and will most probably overlook whatever happened behind the curtains.

The backdoor will try to call home at[removed].3322.org and send information about the system’s name, the currently logged-in user, CPU and physical memory / page file usage. By the time the “handshake” between the backdoor and the command-and-control server has been completed, your system is already in the hands of the remote attacker.

There has been a lot of ruse around the Nobel Prize lately. You might remember our previous report on the Nobel Prize official site being hacked and used to spread a 0-day Firefox bug. So always remember to treat messages from unknown contacts and the e-mail attachments with maximum of suspicion. Rather than opening them directly from the e-mail client, you are advised to download attachments and scan them with your locally installed antivirus.

Also, please note that Adobe has issued a patch to shield users from the vulnerability, so make sure that you have updated your application before you open up any PDF documents.

The technical information in this article is available courtesy of BitDefender virus researchers Doina Cosovan and Octavian Minea.

Note: All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.