Asruex Backdoor Spreads via Infected Documents

Delaware, USA – August 23, 2019 – DarkHotel group (aka APT-C-06) modified Asruex backdoor, adding the capability of infecting PDFs, Word documents, and executables to spread infection within a targeted organization. The group is known for its stealth attacks, sophisticated techniques, and access to zero-day vulnerabilities, even more interesting is a fresh sample of their malware exploiting a long time ago patched vulnerabilities. Asruex backdoor has been used in targeted attacks since October 2015 allowing adversaries to download and execute files, load DLLs, modify windows registry, and terminate processes. Typically, malware is delivered via phishing emails with an ICO file attached, which runs a PowerShell download script and installs the backdoor into the system. Trend Micro researchers discovered and analyzed an infected PDF document revealing a new way to spread Asruex across the network after the initial infection. Now the malware searches for documents and executables on removable or network drives and infects them. Infected Word documents upon opening exploit CVE-2012-0158 vulnerability to install Asruex backdoor and show the original document to a user. PDF files act in the same way, but they exploit an even older vulnerability – CVE-2010-2883.

The exploitation of such old vulnerabilities may indicate active or recent DarkHotel group cyber espionage campaigns against organizations using outdated Adobe Reader, Acrobat, and MS Office. If for any reason your organization has difficulties with installing updates or monitoring the versions of software your employees use on their systems, make sure your security solutions scan files on network and removable drives to timely spot Asruex malware. You can learn more about all known techniques of the DarkHotel group on Threat Detection Marketplace: