You’ve been subpoenaed …

We’ve been hearing about some very targeted emails relating to federal subpoenas, sent specifically to CEOs – a variation on a theme we’ve seen before.

This sort of targeted malware attack has a lot in common with spear phishing, which tends to be small-scale, usually sent as if from a member of your own company (in other words somebody you’re more likely to trust), and typically aimed at getting you to “confirm” certain personal details. In this case they’re pretending to be a different trusted organization (the United States Federal Courts) and cherry-picking their recipients, but they’re trying to get information from you using malware.

The file they’re using is detected as Mal/DllHook-A, and has been for almost a year. In this case it’s an executable that attempts to drop a file called acrobat.dll, also detected as Mal/DllHook-A, which it pretends is a component of “Adobe Acrobat ActiveX Control”. It also pops up the following messagebox:

Fake Acrobat Message

The dropped dll will try to log keystrokes and contact a remote site through Internet Explorer – of course the same social engineering that made someone run this supposed Adobe Acrobat file in the first place means that, if a firewall reports that “acrobat.dll” is trying to access the internet, the user will almost certainly simply let it through.

Good job we’ve been detecting it for a year then, isn’t it?