While analysing the latest malicious PDF exploit documents, we found the embedded shellcode to have some interesting features. The shellcode gets executed once the exploit was successful.
The payload of the PDF is contacting a server in China – so far nothing uncommon here. The connected system belongs to the network of the cinese CHINA RAILWAY TELECOMMUNICATIONS CENTER. Very unusual though is the port which gets used for communicating with the command and control server – it’s port 220, which should be used by the IMAPv3 protocol. The protocol used seems to be proprietary and zlib compressed.
There it downloads further malware. Among the malware we have seen is for example BDS/Agent.adsi, a Backdoor. It gets installed in the windows system directory.