We just blogged about a highly targeted attack against military contractors.

Now we saw one against the intelligence sector.

This attack was done with a PDF file. Again.

It was targetting the CVE-2009-4324 vulnerability. Again.

When opened, the PDF file (md5: c3079303562d4672d6c3810f91235d9b) looked like this:

What really happens in the background? Just like last time, the exploit code drops a backdoor in a file called Updater.exe (md5: 02420bb8fd8258f8afd4e01029b7a2b0).

Now, what is the document talking about? President’s day? DNI Information Sharing Environment? We don’t know, but a quick web search tells us that apparently there is going to be an Intelligence fair & expo in Germany next month.

Hmm. The Agenda looks awfully familiar.