Malware Spreads Through Malicious PDF Attachments

When I blog about spam campaigns that are spreading malware, the malware is usually being spread through a malicious email attachment. Mostly, the attachment is a ZIP-Archive that contains the Trojan as executable file (file extension .exe). This is an old schema used by many cybercriminals for years but I have to admit that they are still quite successful in infecting new victims. To mitigate such threats, many organisations block or reject any email that contains an executable file (.exe) or an ZIP-Archive with an executable on their email gateway / spam filter. You do so as well? You think you are safe? Unfortunately, I do have some bad news for you.

Today I was quite surprised when I got the following spam email on one of my spamtraps:

To: spamtrap
Subject: =?utf-8?q?Abmahnung f=C3=BCr firstname lastname 04.03.2013?=
Date: Mon, 4 Mar 2013 16:48:21 GMT

Sehr geehrter Kunde X X,

im heutigen Gesch=C3=A4ftsleben hat man =E2=80=9Eviel um die Ohren=E2=80=9C=
und muss an eine Menge Dinge gleichzeitig denken. Dass einem dabei mal etw=
as entgehen kann ist ganz nat=C3=BCrlich. Soeben konnte unsere Buchhaltung =
bez=C3=BCglich der angeh=C3=A4ngten Rechnung noch keinen Zahlungseingang er=

Datum: 13.01.2013 best=C3=A4tigt von
Offene Rechnung: 448,75 Euro
Bestellnummer: 100687844
Mahnkosten: 4,00 Euro

Sofern Ihrer Aufmerksamkeit unsere Rechnung entgangen ist, haben wir Ihnen =
eine Kopie der Rechnung beigef=C3=BCgt. Wir bitten Sie, die Zahlung nachzuh=
olen und sehen dem Eingang Ihrer Zahlung bis zum 04.03.2013 entgegen. Falls=
Sie den genannten Termin nicht einhalten, werden wir Ihnen weitere Verzugs=
zinsen und Mahnkosten berechnen.

Sollte der angemahnte Betrag nicht fristgerecht bei uns gebucht werden, wer=
den wir ohne weitere Schreiben unseren Rechtsanwalt mit der Klageerhebung b=

Mit bestem Dank f=C3=BCr Ihr Vertrauen in Conrad Electronic Dominik Krause

One of the things that I noticed immediately is that the email has a clean language which is quite uncommon for such spam campaigns (it is written in German and hence most likely targeting German speaking countries exclusively). Another thing that I noticed is that the email didn’t got blocked by the my spamfilter. While looking into it, I noticed that the spam mail had a very low spam score which is based on the fact that the sending IP address isn’t blacklisted on any blacklist (DNSBL). I’m not surprised because the sending IP address is actually one of GMX’s outbound email gateways:

Received: from ( [])
by spamtrap (X) with ESMTP id X
for spamtrap; Mon, 4 Mar 2013 16:49:03 +0000 (UTC)

For those who don’t know GMX: It’s a large free email service provider in Germany owned by 1&1. So you shouldn’t block their outbound email servers. What the criminals obviously did is using stolen SMTP credentials to send out their spam campaign.

The spam email contains a malicious PDF attachment using the first- and lastname of the recipient (victim):

Filename: Mahnung X X.pdf
File size: 9’514 bytes
Virustotal: 1 / 46

The AV detection rate is very poor, only one out of 46 AV vendors currently provides a detection against this threat (Microsoft – Exploit:Win32/CVE-2010-0188). The PDF exploits a well known vulnerability in Adobe Reader that allows remote code execution. The vulnerability was already addressed by Adobe in 2010.

If the Adobe version installed on the victims computer isn’t up to date, the malicious PDF will exploit CVE-2010-0188 and downloads the malware itself from

Filename: adobe-update.exe
Filesize: 73’728 bytes
Virustotal: 3 / 46

Unfortunately, most AV-vendors fail on this file as well. Only 3 AV-vendors currently provides a detection for it (well done ESET, Kasperksy and Malwarebytes). The file is temporary being stored in the following location:

C:\Document and Settings\USERNAME\Local Settings\Temp\wpbt0.dll

Afterwards the malware installs itself into a random directory with a random filename in the victims user profile, for example:

C:\Document and Settings\USERNAME\Hyrrayn\uisdoxtmjkl.exe (same file as wpbt0.dll)
C:\Document and Settings\USERNAME\Local Settings\Temp\otnhhyskui.pre (same file as wpbt0.dll)

Once the victims computer has been successfully infected, the malware contacts a botnet C&C hosted at

GET /typo3.php?ltype=ld&ccr=1&id=XXX&stat=0&ver=XXX&loc=XXX&os=XXX HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)
Connection: Keep-Alive
Cache-Control: no-cache

The User-Agent string seems to be hardcoded in the binary and is using an exotic (and I believe no longer used) version of Microsoft Internet Explorer (MSIE 6.0b).

To mitigate this threat, I recommend you to:

  • Create an IDS rule that spots the user-agent used by this malware
  • Patch Adobe Reader
  • Block the associated malware distribution site / botnet C&C (see list below)

Malicious domain names / IP addresses used or related in this malware campaign (I highly recommend you to block those):

Delta Airlines Spam Lead To Citadel

Today I’ve seen the following spam campaign hitting my spamtraps:

From: Delta Airlines < >
Subject: Your Order#XXXXXX – APPROVED

Dear Customer,

Your credit card has been successfully processed.

ELECTRONIC 628190172
DATE & TIME / FEB 19, 2013, 12:45 AM
ARRIVING / Washington

Please download and print your ticket from the following URL:

For more information regarding your order, contact us by visiting :

Thank you
Delta Airlines.

The hyperlink referenced in this spam campaign leads to a hijacked website that serves a ZIP archive that contains a malicious screen saver (.scr) file:


Filename: pdf_delta_ticket.scr (
File size: 291’840 bytes
MD5 hash: f66358bf351e6038b9a75b2f0f01860d
Virustotal: 11 / 44

The file pdf_delta_ticket.scr contains Citadel, a derivative of the famous ZeuS banking trojan. Unlike other binaries I’ve seen being spammed recently, this binary seems to be packed using a packer that is completely VM-aware – hence it will only run on a native machine.

Once infected, the infected computer tries to contact several Citadel C&C servers (botnet controllers). This Citadel campaign is using various C&C servers, all located in the same subnet:

Citadel config/binary URLs:


Citadel dropzones:


They are already listed on ZeuS Tracker:

As far as I can see, this Citadel campaign currently attacks BMO Financial Group, RBC Royal Bank and CIBC. All mentioned C&C IP addresses are within the same subnet that belongs to a (likely fake) internet service provider called “Aztec ltd”:

inetnum: –
netname: ATCTEK-NET
descr: Aztec ltd.
country: RU
org: ORG-Al253-RIPE
admin-c: MRA85-RIPE
tech-c: MRA85-RIPE
mnt-lower: RIPE-NCC-END-MNT
mnt-by: MNT-ATCTEK
mnt-routes: MNT-ATCTEK
mnt-domains: MNT-ATCTEK
source: RIPE # Filtered

organisation: ORG-Al253-RIPE
org-name: Aztec ltd.
org-type: OTHER
address: Russia, Saint-Petersburg, Gangytskaya str., 14.
remarks: ***************************************
remarks: in case of ABUSE or active issues please contact us
remarks: abuse/administrative email:
remarks: ***************************************
remarks: All other notifications to:
mnt-ref: MNT-ATCTEK
mnt-by: MNT-ATCTEK
source: RIPE # Filtered

person: Mamarasylov Rystam Aleksandrovich
address: Russia, Saint-Petersburg, Gangytskaya str., 14.
phone: +7-901-903-43-76
nic-hdl: MRA85-RIPE
mnt-by: MNT-ATCTEK
source: RIPE # Filtered

% Information related to ‘′

descr: AZCTEK route
origin: AS199079
mnt-by: MNT-ATCTEK
source: RIPE # Filtered

When you visit their website (, you will just see an output of phpinfo(). Quite suspect for an internet service provider, isn’t it? Aztec isn’t new to me, I’ve seen a lot of Citadel C&C and webinject servers hosted there recently, used to commit financial fraud (ebanking fraud).

Taking a look at the global BGP routing table, I see two upstream providers providing IP transit to Aztec:

AS199079 AS path


Their first upstream is AS34109 (CB3ROB Ltd, Germany). CB3ROB gets its upstream connectivity from AS6453 (Tata Communications, India) and AS12327 (idear4business, Great Britain). Their second upstream is AS56598 (KartLand Ltd, Russia). KartLand gets its upstream connectivity from AS29226 (CJSC Mastertel, Russia). Most of these network names sound familiar to botnet researchers. AS199079 (AZCTEK) and AS56598 (KartLand) are obviously operated by cybercriminals. I recommend you to drop any packets from / to those networks at your network’s edge. AS34109 (CB3ROB) and AS12327 (idear4business) have shady backgrounds. I’ve seen various botnet C&Cs hosted in their IP space. If you run your own network, you might want to look into traffic from / to these AS numbers as well

AS199079 ATCTEK-AS Aztec ltd. (likely rogue)

AS56598 ASKARTLAND KartLand Ltd. (likely rogue)

AS34109 CB3ROB Ltd. & Co. KG (suspect)


Such spam campaigns are not uncommon; I see 1-3 of those on a daily basis. However, what is special with this specific campaign is that is wasn’t sent out by a (spam) botnet (usually Cutwail, Festi or Kelhios), but through compromised email servers. So far, I’ve seen roughly 30 sending SMTP servers (ab)used in this spam campaign:

Since the criminals are using compromised email servers, many DNSBLs are failing to catch those because most of them are focused on botnet or snowshoe spam. Hence the criminals can be sure that most of these spam mails are getting delivered to the victims mailbox.

You can protect yourself / your network from this threat by doing a few simple things:

* does have an SPF record that defines the permitted senders for this specific domain name