A malware distribution campaign is using PDF attachments to spread malicious Word docs to infect users with Snake Keylogger malware. The use of PDF seems to deploy malicious macros with encrypted shellcode to avoid detection.
About the attack
A report from HP Wolf Security disclosed how threat actors are using PDFs as a medium for delivering documents laden with malicious macros. These macros download and install Snake Keylogger, essentially an information-stealer, on the infected victim's systems.
- The PDF is sent using an email named “Remittance Invoice” and induces fake promises of payment to the recipient.
- If the PDF is opened, Adobe Reader urges the user to open a DOCX file, which might confuse the victim.
- If the user chooses to open the DOCX file in Microsoft Word, then an RTF file is downloaded from a remote resource using a command that is added to the Word file with a hardcoded URL hosting payload.
The exploitation of an old vulnerability
The RTF document is named ‘f_document_shp[.]doc’ and has malformed OLE objects that seem to avoid analysis. It tries to abuse an old Equation Editor vulnerability to execute arbitrary code.
- During the attack, a shellcode is deployed that takes advantage of CVE-2017-11882, a remote code execution bug in Equation Editor, already patched in November 2017. However, it is still available for exploitation.
- By exploiting the vulnerability, a shellcode in the RTF downloads and runs Snake keylogger with powerful persistence, credential access, defense evasion, data harvesting, and exfiltration.
Concluding notes
The use of Office docs in attack campaigns is common, however, the use of PDF indicates that attackers are making efforts to explore and enhance alternative options to target potential victims. Thus, recipients should always stay vigilant against suspicious emails delivering any kind of attachments, including PDF files.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/8da0_shutterstock_427252381.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/0759_shutterstock_1421830100.jpg)
