Cybersecurity researchers at HP Wolf Security have detected a new cybercrime campaign exploiting PDF files in an attempt to distribute Snake keylogger to vulnerable endpoints.
According to the researchers, the threat actors would first send an email with the subject line "Remittance invoice", in an attempt to trick victims into believing that they will be paid for something.
The email would contain a PDF file as an attachment, which can assure the victim that the email is legitimate, as Word or Excel files are often suspicious.
Abuse of a known defect
However, a Word document, titled "has been verified", is embedded in the PDF. When the victim opens the attached file, they receive a message asking whether or not they want to open the second file. The message says "The file 'has been verified'. However, PDF, jpeg, xlsx, docx files may contain programs, macros or viruses."
This could trick the victim into thinking that their PDF reader has scanned the file and is ready to go.
The Word file, as you might expect, comes with a macro that, if enabled, will download an RTF (Rich Text Format) file from a remote location and run it. The file would then attempt to download Snake Keylogger, a piece of malware described by BleepingComputer as a "modular information stealer with powerful persistence, defense evasion, credential access, data, and data exfiltration."
Target endpoints must always be vulnerable to a specific flaw, if the attack is to be successful. The researchers discovered that the attackers were attempting to exploit CVE-2017-11882, a remote code execution bug in the Equation Editor.
The flaw was fixed in November 2017, but not all device managers keep their operating systems up to date. Apparently, this was one of the most popular vulnerabilities to exploit in 2018, as it was relatively slow for organizations and consumers to fix.
Via: BleepingComputer