Adobe 0-days used for IEEE aerospace spearphishing attacks

  • Liam Tung (CSO Online)
  • — 11 February, 2013 09:49

Attackers using the zero day Adobe Flash flaws patched last week delivered the exploits with a spearphishing email aimed at the aerospace sector, according to security researchers.

Security firm Alien Vault on Friday published details confirming the exploits underpinned a targeted campaign against US aerospace companies and industry.

Adobe’s patch last Friday fixed one zero day being exploited with malicious embedded Flash content in Microsoft Office documents for Windows that were delivered as emailed attachments.

According to Jaime Blasco, director of Alienvault Labs, one of the Office attachments that carried the Flash exploit was a 2013 Institute of Electrical and Electronics Engineers (IEEE) Aerospace Conference schedule.


2013 IEEE Aerospace Conference schedule. Image credit: AlienVault.

Another attack document used an “Employee Quick Reference Guide” made to appear to come from the US payments processing giant Automatic Data Processing (ADP), a company with 600,000 clients, including multinationals such as Alcoa.

The other zero exploit day targeted Macs via a malicious Flash (SWF) hosted on websites that exploited Flash in Firefox or Safari. Adobe credited the CERT of aerospace giant Lockheed Martin for discovering that exploit, giving some indication of the calibre of target the hackers were seeking.

Security firm FireEye first detected the exploit on February 5, 2013 and notes in its analysis that the codepage of the Word files used in the attacks are “Windows Simplified Chinese (PRC, Singapore).”

The executables were signed with a fake certificate from South Korean gaming company MGAME, that was also used to sign PlugX remote access tool (RAT) in past attacks on NGOs, according to AlienVault.

Two oddities of the malware were a coding reference to “Lady Boyle”, a character in the adventure game, “Dishonored”. The authors also failed to obfuscate the malicious Flash file, leaving it open to detection by generic antivirus signatures.

“It is odd and sloppy for a threat attempting industrial espionage,” FireEye researchers Josh Gomez, Thoufique Haq, and Yichong Lin noted.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Tags: adobe, IEEE

Review: File Recovery Tools

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

SECURE Web Gateway

Balancing the requirement for strong network security with the need to harness collaborative web technologies is essential for business growth.

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.