Article Directory
Problem Description
This problem has been encountered twice, and customers reported that some PDF files with shared file paths cannot be opened and accessed. I remotely found that their PDF files were rewritten at a certain point in time.
When the user accesses the PDF, the following warning prompt will be prompted:
Unable to extract the embedded font "Cinema". Some characters may not be displayed or printed correctly.
Problem handling
No virus has been reported through some anti-virus software, but this issue is indeed different from the original file.
This situation is similar to the most popular ransomware nowadays, but it doesn't have very distinctive features. Submit the sample to Trend Micro, and the engineer feedback that the virus is Virus.Win32.ASRUEX.A.origof Asruex Backdoortype.
Asruex infects the system through shortcut files with PowerShell download scripts, and spreads through removable drives and network drives. The following figure illustrates the infection chain of malware.
The following is the Asruex Backdoorintroduction:
Since its first appearance in 2015, Asruex has been known for its backdoor functionality and connection to the spyware DarkHotel. However, when we encountered Asruex in the PDF file, we found that a variant of the malware can also act as an infector, especially by using the old vulnerabilities CVE-2012-0158 and CVE-2010-2883, Inject Word and PDF files respectively.
Using an old bug that has been fixed may imply that the variant is designed, as it will affect the use of older versions of Adobe Reader (9.x before version 9.4) and Acrobat (8.x before version 8.2). .5) On Windows and Mac OS X.
problem solved
This problem can only be solved by restoring the backup method for the time being. If your backup retention period is short and the problem is discovered later, you may not be able to successfully restore the infected object.
@20200701 Update
This problem happened again recently. Customers have also updated the Adobe Reader version, but similar incidents still occur. I am really worried...There is no way but to find the source.
- Enable NTFS audit function for the problem folder
- Enable [audit object access] function
- View the audit log [Log ID: 4663 Removable Storage]
试图访问对象。
使用者:
安全 ID: ZHONG\infra01
帐户名: infra01
帐户域: ZHONG
登录 ID: 0x6E582C
对象:
对象服务器: Security
对象类型: File
对象名: C:\Downloads
句柄 ID: 0xad8
资源属性: S:AI
进程信息:
进程 ID: 0x1f00
进程名: C:\Windows\explorer.exe
访问请求信息:
访问: READ_CONTROL
访问掩码: 0x20000
Reference
-
Trendmicro link information:
https://blog.trendmicro.com/trendlabs-security-intelligence/asruex-backdoor-variant-infects-word-documents-and-pdfs-through-old-ms-office-and-adobe-vulnerabilities/ -
Windows log reference:
