<<< NEWS FROM THE LAB - Thursday, January 21, 2010 >>> ARCHIVES | SEARCH Intelligence Sector Hit by a Targeted Attack Posted by Mikko @ 14:52 GMT We just blogged about a highly targeted attack against military contractors.



Now we saw one against the intelligence sector.



This attack was done with a PDF file. Again.



It was targeting the CVE-2009-4324 vulnerability. Again.



When opened, the PDF file (md5: c3079303562d4672d6c3810f91235d9b) looked like this:







What really happens in the background? Just like last time, the exploit code drops a backdoor in a file called Updater.exe (md5: 02420bb8fd8258f8afd4e01029b7a2b0).



Now, what is the document talking about? President's day? DNI Information Sharing Environment? We don't know, but a quick web search tells us that apparently there is going to be an Intelligence fair & expo in Germany next month.







Hmm. The Agenda looks awfully familiar.



We detect the files as Exploit.PDF-JS.Gen and Trojan-Spy:W32/Agent.NBZ.





















