Cybercriminals using the Snake keylogger malware for Windows are sending malicious PDFs with embedded Word documents to computers to infect and steal information.
According to security analysts at HP’s Wolf Security, who recently identified the PDF virus campaign, malicious PDFs are an uncommon tool to use nowadays since attackers favor Office formats like Word and Excel, which are more familiar to PC users.
According to the findings, Snake, a keylogger and credential stealer first discovered in late November 2020, was used to infect PCs with the infected PDFs.
The attackers sent an email with a PDF attachment that included a Word document named “has been confirmed PDF, Jpeg, xlsx, and . docs are exceptions”. While seeing the prompt that Adobe Reader displays when confirming whether the user accepts opening this file, the reason for choosing this unusual and actually pretty deceptive file name for the Word document becomes evident.
So what could happen is that an employee can mistakenly believe that the file has been vetted and is safe to open.
When the recipient clicks “Open this file”, Microsoft Word launches. If Protected View is disabled, Word downloads a Rich Text Format (.rtf) file from a web server and runs it in the context of the open document, according to HP.
Here one thing needs to be understood that Microsoft Office by default opens internet documents in Protected View or Application Guard for Office.
However, HP experts discovered an unauthorized URL from which an external object linking and embedding (OLE) object was loaded after studying the Word document. The OLE object also contains shellcode that takes use of CVE-2017-11882, a well-known remote code execution vulnerability in Microsoft Office Equation Editor.
In the report, it said: “The first type of downloader we’ve seen used to deploy Snake are RTF documents containing the well-known Microsoft Office Equation Editor exploit (CVE-2017-11882).”
“The documents were renamed with .DOC file extensions and attached to emails themed as legitimate business communications. If the recipient runs a vulnerable version of Microsoft Office, the exploit downloads an executable from a remote server and executes it. This file is a packed version of Snake keylogger,” the research report added.
The exploited vulnerability in this campaign (CVE-2017-11882) is more than four years old, but it is still being used, indicating that the exploit is still effective for attackers, noted HP.
According to the researchers, since the time when Snake was first identified, campaigns to spread this malware have been noticed almost daily. The HP analysis found that the code base for five keylogger families active in the last two years is most likely the same.
The HP analysis explained that it is not an exhaustive list so it is possible that other keyloggers with similar code are also in circulation.
“This ‘remix’ behavior of opportunistically copying source code from established malware families demonstrates how easy it is for cybercriminals to create their own malware-as-service businesses – and the importance for enterprise defenses to stay ahead of malware developers,” it read.
Read all the Latest News , Breaking News and IPL 2022 Live Updates here.
,