Chinese caught red handed HACKING
Take an example of this PDF file we got a sample of via VirusTotal. The only information we have on this 130kB sample is that it was named f1be1cdea0bcc5a1574a10771cd4e8e8.pdf (after it's MD5 hash) and that it was submitted on the 23rd of May.
When you open this document, this is what you'll see:
Looks like a Department of Homeland Security form G-325A.
What's the filename?
It's not f1be1cdea0bcc5a1574a10771cd4e8e8.pdf. It's 0521.pdf.
This is not the document we opened.
So what happens here?
Apparently this PDF has been used in a targeted attack against an unknown target.
When this PDF is opened in Acrobat Reader, it uses a known exploit to to drop files.
Specifically, it creates two files in the TEMP folder: D50E.tmp.exe and 0521.pdf.
Then it executes the EXE and launches the clean 0521.pdf file to Adobe Reader in order to fool the user that everything is all right.
D50E.tmp.exe is a backdoor that creates lots of new files with innocent-sounding filenames, including:
The SYS component is a rootkit that tries to hide all this activity on the infected machine.
The backdoor tries to connect to port 80 of a host called nbsstt.3322.org. Anybody operating this machine would have full access to the infected machine.
Well, 3322.org is one of the well-known Chinese DNS-bouncers that we see a lot in targeted attaks. Does nbsstt mean something? Beats me, but Google will find a user with this nickname posting to several Chinese military-related web forums, such as bbs.cjdby.net.
Where does nbsstt.3322.org point to?
IP address 126.96.36.199 is in Zhejiang, China.
And it's live right now, answering requests at port 80.
sHEESH I'm turning my computer off, cutting the cable and locking it in the attic..
Lets see them attack it now.
Call ahh umm somebody...yes somebody should take that PC down and the server.
Burn them up.