New Asruex backdoor variant leverages old vulnerabilities to target Adobe software and Microsoft Office

• The variant - detected as Virus.Win32.ASRUEX.A.orig - is disguised as PDF files and Word documents to drop and execute its activities.
• Users who have been using older versions of Adobe Reader (prior to 9.4) and Acrobat (prior to 8.2.5) on Windows and Mac OS X are affected by the variant.

Threat actors have discovered a new version of the Asurex backdoor malware which is associated with the DarkHotel threat actor group. The malware variant is distributed by exploiting vulnerabilities - that are more than six-year-old - in Adobe and Microsoft Office software.

What are the vulnerabilities?

According to Trend Micro researchers, the variant - detected as Virus.Win32.ASRUEX.A.orig - is disguised as PDF files and Word documents to drop and execute its activities. The analysis shows that the new Asurex backdoor variant has been designed to exploit two old vulnerabilities that were discovered more than six years ago. The vulnerabilities are:

• CVE-2012-0158 - a critical buffer-overflow vulnerability in an ActiveX component in MS Office versions 2003, 2007 and 2010. This can lead to remote code execution in Word documents.
• CVE-2010-2883 - a stack-based overflow in Adobe products. This can enable attackers to inject code into PDFs.

Who are the targets?

The malware variant can affect targets who have been using older versions of Adobe Reader (prior to 9.4) and Acrobat (prior to 8.2.5) on Windows and Mac OS X.

How does it operate?

As per researchers, Asurex spreads through removable drives and network drives. Once installed and executed, the malware variant check for the following information to determine if it is running in a sandbox environment.

• Computer names and user names
• Exported functions by loaded modules
• File names
• Running processes
• Module version of the running process
• Certain strings in disk names

It also detects if ‘avast! Sandbox\WINDOWS\system32\kernel32.dll’ exists on any root as an anti-debugging measure. This DLL is responsible for the malware’s infection and backdoor capabilities. It infects files with file sizes between 42,224 bytes and 20,971,520 bytes.

The bottom line

The new variant of Asurex backdoor poses a major threat for organizations using older versions of Adobe and Microsoft Office. It is advised to patch the vulnerable software immediately to stay safe from the malware attack.