Security Researcher have come across a Spam email that leads to a malware page which delivers the PDF exploit(CVE-2009-0927). The campaign seems to be targeting the aviation defense Industry.
If the recipient open the malicious PDF file, it opens a fake document and displays an invitation to an actual defense industry event. In the background, it exploits the PDF vulnerability.
About CVE-2009-0927:A stack-based buffer overflow vulnerability in the Adobe Reader and Adobe Acrobat before 9.1, 8 before 8.1.3 , and 7 before 7.1.1 allows remote attackers to execute arbitrary code via a crafted argument to the getIcon method of a Collab object "Collab.getIcon()".
If the victim's machine has the vulnerable version , then shellcode inside the pdf will start to execute. The shellcode creates a file and run "evtmgr.exe in the Temp folder .
The exe file drops another dll file called mssrt726.dll which performs network communication and opens the backdoor at TCP port 49163.
