Hackers have found a new way to smuggle malware onto your device

The PDF logo.
(Image credit: Future)

Cybersecurity researchers from HP Wolf Security have spotted a new cybercrime campaign that leverages PDF files to try and distribute the Snake Keylogger onto vulnerable endpoints.

According to the researchers, the threat actors would first send an email holding the subject line “Remittance Invoice”, to try and trick the victims into thinking they’ll be getting paid for something.

The email would carry an attached PDF file, likely to reassure the victim of the email’s legitimacy, as Word or Excel files are typically suspicious.

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022end of this survey

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.

Abusing a known flaw

However, a Word document, titled “has been verified”, comes embedded within the PDF. When the victim opens the attachment, they’re greeted with a prompt asking whether or not to open the second file. The message says “The file ‘has been verified’ However PDF, jpeg, xlsx, docx files may contain programs, macros, or viruses.”

This might trick the victim into believing their PDF reader scanned the file and that it’s good to go.

The Word file, expectedly, comes with a macro that, if enabled, will download a rich text format (RTF) file from a remote location, and run it. The file would then try to download the Snake Keylogger, malware described by BleepingComputer as a “modular info-stealer with powerful persistence, defense evasion, credential access, data harvesting, and data exfiltration capabilities”.

The target endpoints still need to be vulnerable to a specific flaw, if the attack is to be successful. Researchers have found that the attackers are trying to leverage CVE-2017-11882, a remote code execution bug in Equation Editor.

The flaw was patched in November 2017, but not all device administrators keep their operating systems up to date. Allegedly, it was one of the most popular vulnerabilities to exploit in 2018, due to organizations and consumers being relatively slow to patch it up.

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.