Snake Keylogger Spreading Through PDFs

Many malicious email campaigns today leverage Word documents to hide and spread malware, but a recently discovered campaign uses a malicious PDF file and a 22-year-old Office bug to propagate the Snake Keylogger malware, researchers have found.

Attackers have leveraged Microsoft Office document formats like Word and Excel in the past because users tend to be more familiar with those file extensions, so they assume they’re safe to open; which makes it ideal for social engineering attacks.

The campaign was discovered by researchers at HP Wolf Security, who found that it aims to dupe victims with an attached PDF file claiming to have information about a settlement payment. Instead, it loads the info-stealing malware, using some tricky evasion tactics to avoid detection.

The Malicious Campaign

The HPW Wolf Security team noticed a new PDF-based threat campaign in March 2022 with an “unusual exploit chain,” involving not just a PDF but also “several tricks to evade detection, such as embedding malicious files, loading remotely-hosted exploits and shellcode encryption,” Schlapfer reported.

Attackers target victims with emails that include a PDF document named ‘REMMITANCE INVOICE.pdf‘ as an attachment. If someone opens the file, Adobe Reader prompts the user to open a .docx file with the name “has been verified. However PDF, Jpeg, xlsx, .docx” to make it look as though the file name was part of the Adobe Reader prompt. 

The.docx file is stored as an embedded file object within the PDF, which opens Microsoft Word if clicked on, researchers found. If Protected View is disabled, Word downloads a Rich Text Format (.rtf) file from a web server, which then is run in the context of the open document.

Researchers unzipped the contents of the .rtf, which is an Office Open XML file, finding a URL hidden in the “document.xml.rels” file that is not a legitimate domain found in Office documents.

Connecting to this URL leads to a redirect and then downloads an RTF document called “f_document_shp.doc. This document contained two “not well-formed” Object Linking and Embedding (OLE) objects that revealed shellcode exploiting CVE-2017-11882, which researchers said is an “over four-years-old” Remote Code Execution (RCE) vulnerability in Equation Editor.

As the final act of the attack, researchers found a shellcode stored in the “OLENativeStream” structure at the end of one of the OLE objects they examined. The code eventually decrypts a ciphertext that turns out to be more shellcode, which is then executed after to lead to an executable called fresh.exe that loads the Snake Keylogger, researchers found.

What Does This Mean For Your SMB or MSP?

Just like the majority of threats end-users face on a daily basis, it’s vital that they are aware of how to spot and avoid phishing attacks. The following threat vectors can be learned by your employees to help them spot and avoid phishing attacks like the one reported in this blog post.

1. Unexpected emails with attachments should be treated like toxic chemicals. Don’t go near them unless you’ve verified with the sender that they intended to email you the unexpected file and topic.
2. Be exceptionally careful not to open attachments from senders you don’t recognize, especially if it has an enticing name (salary details, payment details, etc.).
3. Whenever users see an attachment, check the three-letter extension to see if it may have malicious content embedded within. Dangerous files types include: 

• • • .bat (a batch file)
    • .exe (executable file)
    • any Microsoft file containing M in the extension (.xlsm, .docm, .pptm) which indicates a macro-enabled file
    •  .zip (can contain any of the aforementioned file types)
    • .pdf in this case. But the PDF had an embedded Word document you had to click on. Don’t open URLs shown inside a PDF and don’t click on embedded documents within a PDF. Most PDF files are typically safe to open on their own, so long as you have dutifully updated your PDF reader such as Adobe Reader.

If you want to ensure that your users are being tested on these aspects of phishing emails, you can utilize CyberHoot’s Assignment-Based Phishing Module which contains a section that asks users to determine if an attachment is safe or not. You can check out our video walkthrough showing an overview of the module here. 

Final thoughts, hackers are always seeking new ways to attack us. PDFs have traditionally appeared safe but as we see in this attack, can contain embedded dangers. Always be learning and training on cybersecurity topics to stay one step ahead of new attacks by malicious actors.

CyberHoot’s Minimum Essential Cybersecurity Recommendations

The following recommendations will help you and your business stay secure with the various threats you may face on a day-to-day basis. All of the suggestions listed below can be gained by hiring CyberHoot’s vCISO Program development services.

1. Govern employees with policies and procedures. You need a password policy, an acceptable use policy, an information handling policy, and a written information security program (WISP) at a minimum.
2. Train employees on how to spot and avoid phishing attacks. Adopt a Learning Management system like CyberHoot to teach employees the skills they need to be more confident, productive, and secure.
3. Test employees with Phishing attacks to practice. CyberHoot’s Phish testing allows businesses to test employees with believable phishing attacks and put those that fail into remedial phish training.
4. Deploy critical cybersecurity technology including two-factor authentication on all critical accounts. Enable email SPAM filtering, validate backups, and deploy DNS protection, antivirus, and anti-malware on all your endpoints.
5. In the modern Work-from-Home era, make sure you’re managing personal devices connecting to your network by validating their security (patching, antivirus, DNS protections) or prohibiting their use entirely.
6. If you haven’t had a risk assessment by a 3rd party in the last 2 years, you should have one now. Establishing a risk management framework in your organization is critical to addressing your most egregious risks with your finite time and money.
7. Buy Cyber-Insurance to protect you in a catastrophic failure situation. Cyber-Insurance is no different than Car, Fire, Flood, or Life insurance. It’s there when you need it most.

Each of these recommendations, except cyber-insurance, is built into CyberHoot’s product and virtual Chief Information Security Officer services. With CyberHoot you can govern, train, assess, and test your employees. Visit CyberHoot.com and sign up for our services today. At the very least continue to learn by enrolling in our monthly Cybersecurity newsletters to stay on top of current cybersecurity updates.