CVE-2009-0563

On Feb 12th 2013, FireEye announced the discovery of an Adobe Reader 0-day exploit which is used to drop a previously unknown, advanced piece of malware. We called this new malware “ItaDuke” because it reminded us of Duqu and because of the ancient Italian comments in the shellcode copied from Dante Alighieri’s “Divine Comedy”. Previously, we posted about another campaign hitting Governments and other institutions, named Miniduke, which was also using the same “Divine Comedy” PDF e...

In partnership with researchers at AlienVault Labs, we ve analysed a series of targeted attacks against Uyghur Mac OS X users which took place during the past months. You can read their analysis here. For our research, please read below. We previously wrote about targeted attacks against Tibetan activists which used Mac OS X malware. In addition to these, last June we reported about attacks using Mac OS X malware against Uyghur supporters. These later attacks took advantage of social engineering...

Two days ago we intercepted a new APT campaign using a new MacOS X backdoor variant targeted at Uyghur activists. But before we go into details, let’s start with a quiz: – The Dalai Lama walks into an Apple Store. Why? A possible answer is, “to buy one of the new MacBook Pro’s with the Retina display!” (speaking of which, I would very much like to buy one of those as well, but it’s kind of difficult to justify the hit to the family budget) Joke aside, actually Dalai Lama is a well kn...

Two days ago we intercepted a new APT campaign using a new MacOS X backdoor variant targeted at Uyghur activists. But before we go into details, let’s start with a quiz: – The Dalai Lama walks into an Apple Store. Why? A possible answer is, “to buy one of the new MacBook Pro’s with the Retina display!” (speaking of which, I would very much like to buy one of those as well, but it’s kind of difficult to justify the hit to the family budget) Joke aside, actually Dalai Lama is a well kn...

The investigation into the Duqu Trojan is into its sixth month, and March brought further progress as we were able to establish which language was used for its Framework code. This discovery was made with the help of the international IT community, from which we received several hundred possible explanations and hypotheses. The Duqu Framework was written in C and compiled with MSVC 2008 with the options “/O1” and “/Ob1”. Its creators most probably used the object-oriented extension of th...

Late last week, we found evidence of a possible link between a Mac OS X backdoor trojan and an APT attack known as LuckyCat. The IP address of the C&C to which this bot connects (199.192.152.*) was also used in other Windows malware samples during 2011, which made us believe we were looking at the same entity behind these attacks. For the past two days, we have been monitoring a “fake” infected system – which is a typical procedure we do for APT bots. We were extremely surprised when d...

Kaspersky Lab tags MS Word as the vector

Hard on the heels of the Flashback Trojan, Kaspersky Lab is warning of a new OSX threat, which it’s dubbed Backdoor.OSX.SabPub.a. In a post to Securelist, Kaspersky’s Costin Raiu says the Trojan connects to a command and control server hosted on a Californian-based VPS associated with the Onedumb.com free DNS. Apparently a month old, the Trojan uses a Java exploit given the name Exploit.Java.CVE-2012-0507.bf in the Kaspersky post, with the ZelixKlassMaster obfuscator to try and get past malw...