Many malicious email campaigns today leverage Word documents to hide and spread malware, but a recently discovered campaign uses a malicious PDF file and a 22-year-old Office bug to propagate the Snake Keylogger malware, researchers have found.
Attackers have leveraged Microsoft Office document formats like Word and Excel in the past because users tend to be more familiar with those file extensions, so they assume they’re safe to open; which makes it ideal for social engineering attacks.
The campaign was discovered by researchers at HP Wolf Security, who found that it aims to dupe victims with an attached PDF file claiming to have information about a settlement payment. Instead, it loads the info-stealing malware, using some tricky evasion tactics to avoid detection.
The HPW Wolf Security team noticed a new PDF-based threat campaign in March 2022 with an “unusual exploit chain,” involving not just a PDF but also “several tricks to evade detection, such as embedding malicious files, loading remotely-hosted exploits and shellcode encryption,” Schlapfer reported.
Attackers target victims with emails that include a PDF document named ‘REMMITANCE INVOICE.pdf‘ as an attachment. If someone opens the file, Adobe Reader prompts the user to open a .docx file with the name “has been verified. However PDF, Jpeg, xlsx, .docx” to make it look as though the file name was part of the Adobe Reader prompt.
The.docx file is stored as an embedded file object within the PDF, which opens Microsoft Word if clicked on, researchers found. If Protected View is disabled, Word downloads a Rich Text Format (.rtf) file from a web server, which then is run in the context of the open document.
Researchers unzipped the contents of the .rtf, which is an Office Open XML file, finding a URL hidden in the “document.xml.rels” file that is not a legitimate domain found in Office documents.
Connecting to this URL leads to a redirect and then downloads an RTF document called “f_document_shp.doc. This document contained two “not well-formed” Object Linking and Embedding (OLE) objects that revealed shellcode exploiting CVE-2017-11882, which researchers said is an “over four-years-old” Remote Code Execution (RCE) vulnerability in Equation Editor.
As the final act of the attack, researchers found a shellcode stored in the “OLENativeStream” structure at the end of one of the OLE objects they examined. The code eventually decrypts a ciphertext that turns out to be more shellcode, which is then executed after to lead to an executable called fresh.exe that loads the Snake Keylogger, researchers found.
Just like the majority of threats end-users face on a daily basis, it’s vital that they are aware of how to spot and avoid phishing attacks. The following threat vectors can be learned by your employees to help them spot and avoid phishing attacks like the one reported in this blog post.
If you want to ensure that your users are being tested on these aspects of phishing emails, you can utilize CyberHoot’s Assignment-Based Phishing Module which contains a section that asks users to determine if an attachment is safe or not. You can check out our video walkthrough showing an overview of the module here.
Final thoughts, hackers are always seeking new ways to attack us. PDFs have traditionally appeared safe but as we see in this attack, can contain embedded dangers. Always be learning and training on cybersecurity topics to stay one step ahead of new attacks by malicious actors.
The following recommendations will help you and your business stay secure with the various threats you may face on a day-to-day basis. All of the suggestions listed below can be gained by hiring CyberHoot’s vCISO Program development services.
Each of these recommendations, except cyber-insurance, is built into CyberHoot’s product and virtual Chief Information Security Officer services. With CyberHoot you can govern, train, assess, and test your employees. Visit CyberHoot.com and sign up for our services today. At the very least continue to learn by enrolling in our monthly Cybersecurity newsletters to stay on top of current cybersecurity updates.
Source:
Additional Reading:
Discover and share the latest cybersecurity trends, tips and best practices – alongside new threats to watch out for.
A recent discovery by cybersecurity firm Oligo Security has unveiled a series of critical vulnerabilities in...
Read moreA newly uncovered cyberattack campaign is exploiting Zoom’s Remote Control feature to infiltrate the systems...
Read moreGet sharper eyes on human risks, with the positive approach that beats traditional phish testing.