{
	"id": "1fdfa247-af61-4b64-8cc6-b5beec05a5c4",
	"created_at": "2026-04-06T00:10:47.944474Z",
	"updated_at": "2026-04-10T03:29:58.189533Z",
	"deleted_at": null,
	"sha1_hash": "f8fb24f1a3134261981c56d24782fc4486d51b77",
	"title": "Asruex Backdoor Infects Files Via Old Vulnerabilities",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 62833,
	"plain_text": "Asruex Backdoor Infects Files Via Old Vulnerabilities\r\nBy By: Ian Mercado, Mhica Romero Aug 22, 2019 Read time: 4 min (1170 words)\r\nPublished: 2019-08-22 · Archived: 2026-04-05 14:18:56 UTC\r\nSince it first emerged in 2015, Asruex has been known for its backdoor capabilitiesopen on a new tab and\r\nconnection to the spyware DarkHotel. However, when we encountered Asruex in a PDF file, we found that a\r\nvariant of the malware can also act as an infector particularly through the use of old vulnerabilities CVE-2012-\r\n0158open on a new tab and CVE-2010-2883open on a new tab, which inject code in Word and PDF files\r\nrespectively. The use of old, patched vulnerabilities could hint that the variant was devised knowing that it can\r\naffect targets who have been using older versions of Adobe Reader (versions 9.x up to before 9.4) and Acrobat\r\n(versions 8.x up to before 8.2.5) on Windows and Mac OS X. Because of this unique infection capability, security\r\nresearchers might not consider checking files for an Asruex infection and continue to watch out for its backdoor\r\nabilities exclusively. Awareness of this new infection method could help users defend against the malware variant.\r\nTechnical details\r\nAsruex infects a system through a shortcut file that has a PowerShell download script, and spreads through\r\nremovable drives and network drives. The diagram below illustrates the malware's infection chain.\r\nintel\r\nFigure 1. Infection chain of Asruex\r\nInfected PDF files We first encountered this variant as a PDF file. Further investigation revealed that the PDF file\r\nitself was not a malicious file created by the actors behind this variant. It was simply a file infected by the Asruex\r\nvariant. Infected PDF files would drop and execute the infector in the background if executed using older versions\r\nof Adobe Reader and Adobe Acrobat. As it does so it still displays or opens the content of the original PDF host\r\nfile. This tricks the user into believing that the PDF had acted normally. This behavior is due to a specially crafted\r\ntemplate that takes advantage of the CVE-2010-2883 vulnerability while appending the host file. The vulnerability\r\nis found in the strcat function of Adobe’s CoolType.dll, which is a typography engine. Since this function does not\r\ncheck the length of the font to be registered, it can cause a stack buffer overflow to execute its shellcode. Finally,\r\nit decrypts the original PDF host file using XOR. This process is seen in the images below.\r\nintel\r\nFigure 2. Vulnerability being exploited by the variant\r\nintel\r\nFigure 3. Decrypting the original PDF host file\r\nIt will then drop and execute the embedded executable detected as Virus.Win32.ASRUEX.A.orig, as seen in figure\r\n4.\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/asruex-backdoor-variant-infects-word-documents-and-pdfs-through-old-ms-office-and-adobe-vulnerabilities/\r\nPage 1 of 4\n\nintel\r\nFigure 4. The embedded executable dropped by the malware\r\nThis executable is responsible for several anti-debugging and anti-emulation functions. It detects if avast!\r\nSandbox\\WINDOWS\\system32\\kernel32.dll exists on any root, as an anti-debugging measure. It then checks the\r\nfollowing information (listed below), to determine if it is running in a sandbox environment:\r\nComputer names and user names\r\nExported functions by loaded modules\r\nFile names\r\nRunning processes\r\nModule version of running process\r\nCertain strings in disk names\r\nThe executable file also injects the DLL c982d2ab066c80f314af80dd5ba37ff9dd99288f (detected as\r\nVirus.Win32.ASRUEX.A.orig) into a legitimate Windows process memory. This DLL is responsible for the\r\nmalware's infection and backdoor capabilities. It infects files with file sizes between 42,224 bytes and 20,971,520\r\nbytes, possibly as a parameter to narrow down host files into which their malware code could fit.\r\nintel\r\nFigure 5. Screenshot showing the added process\r\nintel\r\nFigure 6. Template that the infector uses to infect PDF samples; the filename of the executable is highlighted\r\nInfected Word documents As mentioned earlier, it uses a specially crafted template to exploit the CVE-2012-\r\n0158 vulnerability to infect Word documents. The template is highlighted in figure 7.\r\nintel\r\nFigure 7. Template used to infect Word documents\r\nThe CVE-2012-0158 vulnerability allows possible attackers to execute an arbitrary code remotely through a Word\r\ndocument or web site.  Similar to infected PDFs, it will drop and execute the infector in the background upon\r\nexecution of the infected Word document file. At the same time, it will display the original DOC host file, letting\r\nusers believe that the opened document is normal. The infected file would use XOR to decrypt the original DOC\r\nhost file, as seen in figure 8. The file would open like normal, with the only difference found in the filename used\r\nby the infector. It drops and executes itself as rundll32.exe (figure 9).\r\nintel\r\nFigure 8. Use of an XOR to decrypt the original DOC host file\r\nintel\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/asruex-backdoor-variant-infects-word-documents-and-pdfs-through-old-ms-office-and-adobe-vulnerabilities/\r\nPage 2 of 4\n\nFigure 9. Use of a different file name to drop and execute the infector\r\nInfected executables Aside from the Word documents and PDF files, the malware also infects executable files.\r\nThis Asruex variant compresses and encrypts the original executable file or host file and appends it as its .EBSS\r\nsection. This allows the malware to drop the infector, while also executing the host file like normal. For infected\r\nexecutable files, the filename used by the infector when dropped is randomly assigned, as illustrated in figure 11.\r\nintel\r\nFigure 10. Code showing the host file being appended to the malware’s .EBSS section\r\nintel\r\nFigure 11. Random filename used for the dropped infector\r\nConclusion and security recommendations\r\nAs mentioned earlier, past reports have tagged Asruex for its backdoor capabilities. The discovery of this\r\nparticular infection capability can help create adequate defenses against the malware variant. This case is notable\r\nfor its use of vulnerabilities that have been discovered (and patched) over five years ago, when we’ve been seeing\r\nthis malware variant in the wild for only a year. This hints that the cybercriminals behind it had devised the variant\r\nknowing that users have not yet patched or updated to newer versions of the Adobe Acrobat and Adobe Reader\r\nsoftware. Understandably, this could pose a challenge for organizations as updating widely-used software could\r\nresult in downtime of critical servers, and it could be costly and time consuming. If patching and updating might\r\nnot be a present option, organizations can consider security measures like virtual patchingopen on a new tab to\r\nhelp complement existing security measures and patch management processes. In general, users can take the\r\nnecessary measures to defend against similar threats by following security best practices. We list down some of\r\nthe steps users can take to defend against Asruex and similar malware:\r\nAlways scan removable drives before executing any file that may be stored in it.\r\nAvoid accessing suspicious or unknown URLs.\r\nBe cautious when opening or downloading email attachments, especially from unknown or unsolicited\r\nemail.\r\nUsers and enterprises can also benefit from a solution that uses a multilayered approach against threats that are\r\nsimilar to Asruex. We recommend employing endpoint application controlopen on a new tab that reduces attack\r\nexposure by ensuring that only files, documents, and updates associated with whitelisted applications and sites can\r\nbe installed, downloaded, and viewed. Endpoint solutions powered by XGen™ security such as Trend Micro™\r\nSecurityopen on a new tab and Trend Micro Network Defenseopen on a new tab can detect related malicious files\r\nand URLs and protect users’ systems. Trend Micro™ Smart Protection Suitesopen on a new tab and Trend Micro\r\nWorry-Free™ Business Securityopen on a new tab, which have behavior monitoring capabilitiesopen on a new\r\ntab, can additionally protect from these types of threats by detecting malicious files, as well as blocking all related\r\nmalicious URLs.\r\nIndicators of Compromise (IoCs)\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/asruex-backdoor-variant-infects-word-documents-and-pdfs-through-old-ms-office-and-adobe-vulnerabilities/\r\nPage 3 of 4\n\nSHA256 Detection Name\r\nb261f49fb6574af0bef16765c3db2900a5d3ca24639e9717bc21eb28e1e6be77 Virus.Win32.ASRUEX.A.orig\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/asruex-backdoor-variant-infects-word-documents-and-pdfs-through-old-ms\r\n-office-and-adobe-vulnerabilities/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/asruex-backdoor-variant-infects-word-documents-and-pdfs-through-old-ms-office-and-adobe-vulnerabilities/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://blog.trendmicro.com/trendlabs-security-intelligence/asruex-backdoor-variant-infects-word-documents-and-pdfs-through-old-ms-office-and-adobe-vulnerabilities/"
	],
	"report_names": [
		"asruex-backdoor-variant-infects-word-documents-and-pdfs-through-old-ms-office-and-adobe-vulnerabilities"
	],
	"threat_actors": [
		{
			"id": "1dadf04e-d725-426f-9f6c-08c5be7da159",
			"created_at": "2022-10-25T15:50:23.624538Z",
			"updated_at": "2026-04-10T02:00:05.286895Z",
			"deleted_at": null,
			"main_name": "Darkhotel",
			"aliases": [
				"Darkhotel",
				"DUBNIUM",
				"Zigzag Hail"
			],
			"source_name": "MITRE:Darkhotel",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b13c19d6-247d-47ba-86ba-15a94accc179",
			"created_at": "2024-05-01T02:03:08.149923Z",
			"updated_at": "2026-04-10T02:00:03.763147Z",
			"deleted_at": null,
			"main_name": "TUNGSTEN BRIDGE",
			"aliases": [
				"APT-C-06 ",
				"ATK52 ",
				"CTG-1948 ",
				"DUBNIUM ",
				"DarkHotel ",
				"Fallout Team ",
				"Shadow Crane ",
				"Zigzag Hail "
			],
			"source_name": "Secureworks:TUNGSTEN BRIDGE",
			"tools": [
				"Nemim",
				"Tapaoux"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "2b4eec94-7672-4bee-acb2-b857d0d26d12",
			"created_at": "2023-01-06T13:46:38.272109Z",
			"updated_at": "2026-04-10T02:00:02.906089Z",
			"deleted_at": null,
			"main_name": "DarkHotel",
			"aliases": [
				"T-APT-02",
				"Nemim",
				"Nemin",
				"Shadow Crane",
				"G0012",
				"DUBNIUM",
				"Karba",
				"APT-C-06",
				"SIG25",
				"TUNGSTEN BRIDGE",
				"Zigzag Hail",
				"Fallout Team",
				"Luder",
				"Tapaoux",
				"ATK52"
			],
			"source_name": "MISPGALAXY:DarkHotel",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c0cedde3-5a9b-430f-9b77-e6568307205e",
			"created_at": "2022-10-25T16:07:23.528994Z",
			"updated_at": "2026-04-10T02:00:04.642473Z",
			"deleted_at": null,
			"main_name": "DarkHotel",
			"aliases": [
				"APT-C-06",
				"ATK 52",
				"CTG-1948",
				"Dubnium",
				"Fallout Team",
				"G0012",
				"G0126",
				"Higaisa",
				"Luder",
				"Operation DarkHotel",
				"Operation Daybreak",
				"Operation Inexsmar",
				"Operation PowerFall",
				"Operation The Gh0st Remains the Same",
				"Purple Pygmy",
				"SIG25",
				"Shadow Crane",
				"T-APT-02",
				"TieOnJoe",
				"Tungsten Bridge",
				"Zigzag Hail"
			],
			"source_name": "ETDA:DarkHotel",
			"tools": [
				"Asruex",
				"DarkHotel",
				"DmaUp3.exe",
				"GreezeBackdoor",
				"Karba",
				"Nemain",
				"Nemim",
				"Ramsay",
				"Retro",
				"Tapaoux",
				"Trojan.Win32.Karba.e",
				"Virus.Win32.Pioneer.dx",
				"igfxext.exe",
				"msieckc.exe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434247,
	"ts_updated_at": 1775791798,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f8fb24f1a3134261981c56d24782fc4486d51b77.pdf",
		"text": "https://archive.orkl.eu/f8fb24f1a3134261981c56d24782fc4486d51b77.txt",
		"img": "https://archive.orkl.eu/f8fb24f1a3134261981c56d24782fc4486d51b77.jpg"
	}
}