Computer security experts have uncovered a number of Advanced Persistent Threat (APT) campaigns that rely on Adobe Reader vulnerabilities to distribute malware. The particular exploit, the CVE-2013-0640 vulnerability in Adobe Reader, has been used in the many various campaigns, such as MiniDuke, Zegost, and PlugX.
MiniDuke is known to be a malware threat used in targeted attacks specifically against European government institutions in the past. Through targeted Adobe Reader PDF files, payload-drop attacks have been used in a Zegost attack, which is not directly related to the MiniDuke exploitation. Though, a series of malicious PDFs have been identified in PlugX campaigns, a component once utilized in a new rash of a Remote Access Tool, also known as Korplug.
Various versions of malicious PDF files have been dropped on computers around the world, each using a completely different campaign. The campaigns have ranged from using MiniDuke, Zegost malware and PlugX campaigns.
These APT campaigns are highly targeted. Some of the specific regions affected are users from Japan, South Korea and India. Experts deep into the research behind recent APT campaign exploits using Adobe Reader, have been lead down a road to discover that each attack was initiated with their own method to exploit the same vulnerability.
There has been a noticeable increase in the amount of malicious PDFs exploiting the CVE-2013-0640 vulnerability, which demonstrates the recent APT behavior. No longer are malicious Microsoft Word documents used to exploit an older widely-used CVE-2012-0158 vulnerability. It seems the cybercrooks have taken the high road to explore much more complex and aggressive infrastructures to exploit systems, all using APT methods with the help of various MiniDuke, Zegost and PlugX campaigns.