Researchers at Symantec say a new round of targeted web assaults appear to come from the same group responsible for last year’s attacks against Google and other major U.S. businesses.
Writing on the Symantec Security blog, researcher Karthik Selvaraj said evidence collected on the new targeted attacks have many of the same characteristics as the so-called Aurora (Hydraq) attacks in 2009 that impacted more than 30 businesses, including Google, Northrop Grumman and Symantec.
The latest incident appears to date back at least to the beginning of this month, when researchers started noticing attacks leveraging the recent Adobe zero-day vulnerability in PDF Reader, and using social engineering to lure victims. More specifically, attackers sent emails containing a malicious PDF file attachment.
Selvaraj noted that the recent emails were written in the same style as those used in the Aurora attacks. It also seems as if the two attacks share the same origin.
“In addition, the use of a zero-day within a PDF, and how the executable is dropped on the system, all match the Hydraq method of operation,” he added. “Furthermore, we have seen a large number of detections of unique versions of the PDF—not yet seen elsewhere in the wild—coming from a single computer in the Shandong Province of China, which is how far back investigators were able to trace the Hydraq attacks.”
Although these similarities could be coincidental, Selvaraj said it appears as if these attacks appear to be from the same perpetrators. The PDFs inside all the recent emails exploit the same Adobe zero-day vulnerability and each drop similar downloader components, but with different decoy PDFs. Some had different URLs to download additional malware, he added.