Earlier today I was tipped off that CVE-2012-0754 had made its way into a PDF document and got ahold of a sample to reverse. This sample was obtained from the public PDF X-RAY repository by searching for “MyComputer”. Below I will quickly outline my analysis of the document and then jump over to some of the cooler aspects.
The document itself consisted of two versions yet both appeared to be the same exploit code. What caught me right away was the metadata contained within the document:
It is presently unclear what traffic and information were passed back and forth, but I am hoping the binary analysis will lead to a clear picture. Googling around for the malware brings up references to Symantec’s “Barkiofork” family of malware. I managed to find a report here and here that looks close to the malware that was dropped from the PDF.
What I found more interesting however was the interaction from the remote C2 server. It appears that this C2 didn’t gain as much attention as some of the others and had remained active online. The quick interaction could have been scripted, but after many attempts on many different IP spaces, I was never able to reproduce the acitivity on the first run (refreshed VMs everytime).
In the next few days I will write another blog on the more interesting child process, ~ISUN32.EXE describing its functionality and purpose.