LadyBoyle

LadyBoyle is a malware threat that uses a new exploit in Adobe Flash. LadyBoyle uses a zero-day exploit in Adobe Flash that was first detected on February 5th, 2013. Zero-day exploits are particularly prized by criminals because they allow criminals to carry out malware attacks undeterred until a patch or fix for the problem is released by the affected software's developer (these kinds of exploits are known as 'zero-day' because they are effective as soon as the targeted software is released). Adobe has released information about LadyBoyle, advising computers how to protect their computer by downloading specific patches to fix this problem. The two exploits targeted by LadyBoyle are labeled as CVE-2013-0633 and CVE-2013-0634. Since LadyBoyle is currently active, ESG malware researchers strongly advise computer users to download these patches in order to protect their computer.

PC security researchers have, so far, identified two different files that use the exploits listed above. Even though these files contain content written in English, an analysis of the files reveals data in Windows Simplified Chinese. These files are Microsoft Word files (with the DOC extension) which access a malicious embedded SWF file (an Adobe Flash file) that contains the dangerous exploit. This malicious SWF file contains a specific script named LadyBoyle which carries out the specific attack (which has led to PC security researchers referring to this exploit as LadyBoyle).

How the LadyBoyle Attack is Carried Out

Once the LadyBoyle script is executed, it will first detect whether the conditions for a LadyBoyle attack exist. If they do, then LadyBoyle will drop various executable files on the victim's computer as well as a malicious DLL file. This dangerous DLL file is also embedded within the LadyBoyle SWF file itself. ESG security researchers have observed that this attack is not particularly new. Even though the LadyBoyle exploit itself was first detected and distributed in February of 2013, this attack has been integrated into a malware family that has been active for an actually long time. This attack uses an invalid security certificate from MGAME (a game developer from Korea) and, like many other malicious executable files, are created to mislead PC users, making they think that it is Google or Adobe updates. Once installed, this malware attack creates a backdoor into the victim's computer, making the necessary changes to the Windows Registry that allow LadyBoyle to load automatically upon start-up and establish a connection to its command and control server.