The majority of users on the Internet tend to neglect updating their software and their operating systems. It may be a tedious task to keep all your applications up to date, but it is necessary if you want to keep malware away from your system. Since there are so many people who fail to do this, cyber crooks have tailored special malware targeting systems running outdated software or outdated operating systems.
A new variant of Asruex that was spotted by security researchers in the summer of 2019 uses specific vulnerabilities in MS Office and Adobe products to infiltrate its victims' systems.
In the past Asruex attempted various infection vectors, including malicious shortcuts, hijacked digital certificates and executable HTML files. In August 2019, researchers working with Trend Micro found a new variant of Asruex that was distributed in phishing email campaigns, using malicious PDF files and was exploiting old, unpatched software vulnerabilities. The PDF file used in the attacks appears harmless and will load up the actual document contents, but it's also loaded with the malware that will execute quietly in the background. The new version of Asruex was using vulnerabilities CVE-2010-2883 and CVE-2012-0158 to infiltrate its victims.
CVE-2012-0158 represents a bug in MS Office that was found in a number of versions of the software package and dates back to 2012. The bug allows for remote code execution on the victim system through system state corruption, which in turn allows bad actors to carry out the attack.
CVE-2010-2883 is an even older issue. The vulnerability dates back to 2010 and abuses a stack overflow issue in Adobe PDF reader products that allows bad actors to execute arbitrary code as well as perform DoS attacks.
Both vulnerabilities have long since been addressed with patches but there is still a large installed base of users who have not updated from the old, vulnerable versions of the software in question, which makes them potential targets for Asruex attacks. This is just another instance that highlights the importance of keeping all software on your system up to date.
Table of Contents
Exploits Almost Decade-Old Vulnerabilities
This is the case with the Asruex backdoor Trojan. The Asruex Trojan has been pestering users for years. If this threat manages to infiltrate your system, it has the full capabilities to gain complete control over your PC. What is even worse is that cybercriminals appear to have developed a new, updated variant of the Asruex backdoor Trojan. This strain of the Asruex Trojan takes advantage of vulnerabilities in outdated versions of common applications like Microsoft Office, Adobe Reader, and Adobe Acrobat. These known vulnerabilities are sometimes about ten years old, but there is still a large swab of people who are running this outdated software.
The propagation method employed by the authors of the Asruex Trojan is spam email campaigns. The emails would contain a macro-laced Microsoft Word file or a PDF. Once the user opens the attachment, they are asked to approve the use of macro scripts. If they fall for this trick and give the permission requested they will trigger the downloading and subsequent execution of the Asruex backdoor Trojan.
Self-Preservation and Persistence
As a self-preservation technique, the Asruex Trojan is capable of distinguishing normal computers and sandbox environments. It is capable of doing this by scanning Registry entries and configurations, which can indicate the presence of software used for malware debugging. When the Asruex backdoor Trojan confirms that it has infiltrated a regular system, it will gain persistence by tampering with the Windows Registry. Next, the Asruex Trojan will establish a connection with the attackers' C&C (Command & Control) server.
Once these steps are completed, the Asruex backdoor Trojan will be able to:
- Collect information.
- List services and processes that are running.
- Download files.
- Upload files.
- Execute files.
- Browse files.
- List files.
- Modify files.
- Plant additional threats.
Users need to understand how crucial it is to keep their software up-to-date because otherwise, they just serve their systems and their data on a silver platter to whoever wishes to take advantage. Also, they should make sure to download and install a legitimate anti-virus software tool to keep their systems secure.