Using Snake Killer malware for Windows, threat actors send malicious PDFs via email that are embedded in Word documents to compromise their target device and snatch personal data.
The operation of PDF malware has been observed by researchers at HP’s Wolf Security, who say that malicious PDFs are not a common practice today because cybercriminals favor Word and Excel programs, which are more familiar to PC users.
According to threat analysts, the malicious PDF was hired to install Snake malware on the victims’ computers. Snake is a keylogger and data-stealing malware that was discovered in November 2020.
Malware campaign
According to ZDNet, the malicious actors sent an email with an attached PDF document called “REMMITANCE INVOICE.pdf” which contains an embedded Word document named “Verified ৷ but PDF, Jpeg, xlsx, .docs”.
The second time you see the notification that Adobe Reader displays while verifying whether the target is allowed to open this file, it becomes clear why the attackers chose the name of this weird and cunning file for Word document.
The prompt says:
The file has been verified. However, PDF, Jpeg, xlsx, .docs may contain programs, macros or viruses that could harm your computer.
When an employee receives a notification and quickly reads it, they can trust that the file has been verified and is safe to open.
When the victim clicks “Open this file”, Microsoft Word launches. According to HP, if Protected View is disabled, Word downloads a rich text format (.rtf) file from a web server and executes it in the context of an open document.
After examining the Word document, HP experts discovered a fraudulent URL from which an external object linking and embedding (OLE) object was loaded.
OLE objects also have shellcodes that take advantage CVE-2017-11882A well-known remote code execution error in Microsoft Office Equation Editor that cybercriminals still use.
Fresh.exe executable by downloading the shell code, which is actually Snake Killer. The malware has spread through the use of archive files attached to previously corrupted RFT documents or email messages.
Although Office formats remain popular, this campaign shows how attackers are also using armed PDF documents to infect the system. Embedding files, loading remotely hosted exploits, and encrypting shellcodes are just three techniques that attackers use to run malware under radar. The exploited vulnerability (CVE-2017-11882) in this campaign is more than four years old, yet continues to be used, suggesting that exploitation remains effective for attackers.
Alternatively, follow us LinkedIn, Twitter, Facebook, YouTubeAnd Instagram For more cyber security news and topics.
