This Malware-spreading PDF Uses a Clever File Name to Fool the Unsuspecting Victims
How Does the Attack Happen?
Threat actors using the Snake keylogger malware for Windows send malicious PDFs via email that have embedded Word documents to compromise their targets’ devices and snatch private data.
The PDF malware operation has been observed by researchers at HP’s Wolf Security, who said that malicious PDFs are not a common method to use nowadays as cybercriminals tend to favor Word and Excel programs which are more familiar to PC users.
According to threat analysts, the malicious PDF was employed to install Snake malware on victims’ computers. Snake is a keylogger and information-stealing malware that has been discovered in November 2020.
The Malware Campaign
According to ZDNet, the malicious actors sent an email with an attached PDF document called “REMMITANCE INVOICE.pdf” with an embedded Word document named “has been verified. However PDF, Jpeg, xlsx, .docs”.
The second you see the notification that Adobe Reader shows when verifying whether the target approves opening this file, it becomes evident why attackers preferred this strange and crafty file name for the Word document.
The prompt says:
The file ‘has been verified. However PDF, Jpeg, xlsx, .docs’ may contain programs, macros, or viruses that could potentially harm your computer.
When an employee receives the notification and quickly reads it, they may believe the file has been verified and is safe to open.
When the victim clicks “Open this file,” Microsoft Word launches. According to HP, if Protected View is disabled, Word downloads a Rich Text Format (.rtf) file from a web server and runs it in the context of the open document.
Following an examination of the Word document, HP’s experts discovered a fraudulent URL from which an external object linking and embedding (OLE) object was loaded.
The OLE object also includes shellcode that takes advantage of CVE-2017-11882, a well-known remote code execution flaw in Microsoft Office Equation Editor that cybercriminals still use.
The shellcode downloads fresh.exe executable, which is actually the Snake keylogger. The malware has been spread in the past through the use of malicious RFT documents or archive files attached to email messages.
While Office formats remain popular, this campaign shows how attackers are also using weaponized PDF documents to infect systems. Embedding files, loading remotely-hosted exploits and encrypting shellcode are just three techniques attackers use to run malware under the radar. The exploited vulnerability in this campaign (CVE-2017-11882) is over four years old, yet continues being used, suggesting the exploit remains effective for attackers.