Lets look at CVE-2010-2883 Adobe 0-Day David Leadbetter's One Point Lesson pdf file from Mila.
One of the files that was dropped was hcp.dll signed with certificate.
File compiled with visual studio 6.0 at 30/08/2010 23:49:52.
and it was captured by Mila on 07/09/2010. Looks like it was undetected and unknown 0-day only for one week.
In resource system lang
Child Type: VarFileInfo
Language is Korean Unicode.
File Write on C++ with MFC.
Exported functions are:
and from shellcode called function StartUp.
An my opinion :
1. The file loader hcp.dll and the exploit were written by different people because of the difference in the quality of programming. Loader hcp.dll was written by a programmer with much lower skills, 'cos its writen on C++ with MFC and does not use any Firewall bypass Technique.
2. Looks like hcp.dll had digital signature only to bypass AV.
3. If the loader file made on a system with default Korean language (Korean Windows), then it was not from China but from Korea.