A word document 'iPhone 5 Battery.doc' containing a malicious embedded flash file explotis the recently patched Adobe Flash player vulnerability(CVE-2012-1535), Alienvault researchers warns.
About CVE-2012-1535:Unspecified vulnerability in Adobe Flash Player before 11.3.300.271 on Windows and Mac OS X and before 11.2.202.238 on Linux allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted SWF content.
Once victim open the the malicious document , it will exploit the vulnerability and executes the shellcode. Once the payload is executed, it drops a malicious dll file. While executing the malicious code, the malware displays a genuine article about leaked iPhone 5 battery Images.
This backdoor is know as c0d0so0 and also Backdoor.Briba and it has been seen in other targeted attacks exploiting CVE-2012-0779 among others during the past few months.
The backdoor contacts the remote sever publicnews.mooo.com using a HTTP POST request and attempts to download an executable file encapsulated in a ZIP and disguised as a GIF.
"The use of Dynamic DNS providers like DynDNS.org , 3322.net.. is very common in this kind of threats. You should be monitoring the requests to dynamic dns providers in your network,"Researcher says.
