tag:blogger.com,1999:blog-8539880144347728238.post5932655254459859664..comments2024-01-24T04:15:08.086-05:00Comments on Carnal0wnage Blog: APT PDFs and metadata extractionUnknownnoreply@blogger.comBlogger4125tag:blogger.com,1999:blog-8539880144347728238.post-20519199169325283502013-03-27T12:41:55.311-04:002013-03-27T12:41:55.311-04:00There is definitely some possible in keying off th...There is definitely some possible in keying off this metadata. Of course, if you have better decoding/detection/magic working against your e-mail or otherwise inbound PDFs then this might be a moot point. These artifacts perhaps combined with other fields such as author or time might help whittle down those false positives.<br /><br />Source: been doing this exact crap for too long.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-43495907174146430012013-03-22T14:56:01.279-04:002013-03-22T14:56:01.279-04:00Yeah almost all the APT1 payload PDFs were from ot...Yeah almost all the APT1 payload PDFs were from other origins.<br /><br />Given the pretty even distribution you see in your data, I believe recommending that people block or build signatures based on this metadata is just hyperbole to promote your training classes. I'm really sad to see this stuff when it happens in infosec.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-5071247303860015302013-03-22T11:11:14.591-04:002013-03-22T11:11:14.591-04:00I'm not confident that most of these PDFs are ...I'm not confident that most of these PDFs are re-used, though it certainly does bear further investigation. In the investigations I've seen, they have generally been targeted material.Kyle Maxwellhttps://www.blogger.com/profile/02028811120307956640noreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-87707237799582384812013-03-20T11:31:24.958-04:002013-03-20T11:31:24.958-04:00Aren't most APT PDFs reused from other places/...Aren't most APT PDFs reused from other places/victims? I think the meta data might be related to the originator (another victim maybe?) and not the attacker in this case. The tool they use to inject the exploit code most likely doesn't update most/any of those fields.<br /><br />I would be interested to see if the created date (in meta data) was during a time that the pyPDF was still supported and when the exploit became known. That could tell you some interesting things Anonymousnoreply@blogger.com