Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Symantec Uncovers Attacks Targeting Defense, Aerospace Execs

Researchers from Symantec say they have discovered a targeted attack that singled out high-level employees in the defense and aerospace industries.

Researchers from Symantec say they have discovered a targeted attack that singled out high-level employees in the defense and aerospace industries.

According to Symantec, the attacks came in the form of spear phishing emails with malicious PDF attached, which were sent to carefully selected individuals including directors and vice presidents at organizations in the aviation, air traffic control, and government and defense contractors sectors. In total, Symantec said it had identified at least 12 different organizations that were targeted in the attack—so far.

Attackers Target Defense and Aerospace IndustryThe attacker(s) used an outlook report for the aerospace and defense industries that was published in 2012 as the malicious document, and attempted to make it appear as though the publisher of the report was the sender of the email, and were also crafted to look as though they were being forwarded by internal employees or by individuals from within the industries identified, Symantec said.

The malicious PDF attempts to exploit an Adobe Flash Player Vulnerability (CVE-2011-0611), and if successful, it drops additional malware and a clean version of the PDF file to help remain below the radar.

The vulnerability exploited in the attack was actually patched in 2011. This is a prime example that older, unpatched vulnerabilities can be just as dangerous as zero-day vulnerabilities to an organization, and in many cases, even more dangerous.

According to a recent report from security vendor Solutionary, 58 percent of the vulnerabilities targeted by the most popular exploit kits in the fourth quarter of 2012 were more than two years old.

“The fact that cyber criminals are able to penetrate network defenses by targeting aging vulnerabilities and using old techniques demonstrates that many organizations are still playing catch-up when it comes to cyber security,” Rob Kraus, director of research for Solutionary’s Security Engineering Research Team (SERT), said in a statement.

In the attack identified by Symantec, the threat drops a malicious version of the svchost.exe file, which them file then installs a malicious version of ntshrui.dll into the Windows directory.

“The threat leverages a technique known as DLL search order hijacking (the ntshrui.dll file is not protected by KnownDLLs),” Symantec explained in a blog post. “When the svchost.exe file calls the explorer.exe file, it will load the malicious ntshrui.dll file in the Windows folder instead of the legitimate ntshrui.dll file in the Windows system directory.”

Symantec detects both the svchost.exe and ntshrui.dll files as Backdoor.Barkiofork, which has the capabilities including the ability to:

• Enumerate disk drives

• Contact the command-and-control (C&C) server at

• Steal system information

• Download and executes further updates

Symantec advised organizations to ensure proper email security measures are in place, and that patch management is taken seriously.

“It’s vital that organizations pay close attention to patch management and endpoint security controls in order to significantly decrease the likelihood of compromise,” Solutionary’s Kraus said. 

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.