• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
snake keylogger spreads through malicious pdfs

Snake Keylogger Spreads Through Malicious PDFs

You are here: Home / Latest Cyber Security Vulnerabilities / Snake Keylogger Spreads Through Malicious PDFs
May 23, 2022

Microsoft Word also leveraged in the email campaign, which employs a 22-calendar year-outdated Business office RCE bug.

Even though most malicious e-mail campaigns use Word documents to conceal and unfold malware, a lately discovered campaign uses a destructive PDF file and a 22-yr-aged Office environment bug to propagate the Snake Keylogger malware, scientists have observed.

The campaign—discovered by researchers at HP Wolf Security—aims to dupe victims with an hooked up PDF file purporting to have data about a remittance payment, in accordance to a blog site write-up revealed Friday. In its place, it masses the details-stealing malware, utilizing some difficult evasion tactics to prevent detection.

✔ Approved Seller From Our Partners
Malwarebytes Premium 2022

Protect yourself against all threads using Malwarebytes. Get Malwarebytes Premium with 60% discount from a Malwarebytes official seller SerialCart® (Limited Offer).

➤ Activate Your Coupon Code


“While Place of work formats remain well-liked, this campaign displays how attackers are also employing weaponized PDF paperwork to infect methods,” HP Wolf Security researcher Patrick Schlapfer wrote in the put up, which opined in the headline that “PDF Malware Is Not Nevertheless Lifeless.”
Without a doubt, attackers utilizing destructive email campaigns have most popular to package deal malware in Microsoft Place of work file formats, particularly Term and Excel, for the earlier 10 years, Schlapfer stated. In the initial quarter of 2022 on your own, just about 50 percent (45 percent) of malware stopped by HP Wolf Security used Business office formats, according to scientists.

“The causes are clear: customers are common with these file styles, the purposes employed to open them are ubiquitous, and they are suited to social engineering lures,” he wrote.

However, though the new campaign does use PDF in the file lure, it afterwards employs Microsoft Term to produce the ultimate payload—the Snake Keylogger, scientists found. Snake Keylogger is a malware created working with .NET that initial appeared in late 2020 and is aimed at stealing sensitive information and facts from a victim’s device, like saved qualifications, the victim’s keystrokes, screenshots of the victim’s screen, and clipboard information, in accordance to Fortinet.

‘Unusual’ Marketing campaign

The HPW Wolf Security team discovered a new PDF-centered menace campaign on March 23 with an “unusual an infection chain,” involving not just a PDF but also “several tricks to evade detection, these types of as embedding destructive information, loading remotely-hosted exploits and shellcode encryption,” Schlapfer wrote.

Attackers focus on victims with email messages that include things like a PDF document named “REMMITANCE Bill.pdf”—misspelling intended–as attachment. If another person opens the file, Adobe Reader prompts the person to open a .docx file with a somewhat curious title, researchers uncovered.

“The attackers sneakily named the Phrase document “has been verified. On the other hand PDF, Jpeg, xlsx, .docx” to make it look as nevertheless the file identify was part of the Adobe Reader prompt,” in accordance to the write-up.

The.docx file is stored as an EmbeddedFile object inside of the PDF, which opens Microsoft Phrase if clicked on, scientists discovered. If Shielded Check out is disabled, Phrase downloads a Rich Textual content Structure (.rtf) file from a web server, which then is operate in the context of the open doc.

Researchers unzipped the contents of the .rtf—which is an Office Open XML file—finding a URL hidden in the “document.xml.rels” file that is not a genuine area discovered in Office documents, they reported.

17-Year-Outdated Bug Exploited

Connecting to this URL qualified prospects to a redirect and then downloads an RTF doc termed “f_doc_shp.doc. This document contained two “not nicely-formed” OLE objects that exposed shellcode exploiting  CVE-2017-11882, which scientists reported is an “over 4-years-old” remote code execution vulnerability (RCE) in Equation Editor.

Equation Editor is application installed by default with the Business office suite that’s applied to insert and edit complicated equations as Object Linking and Embedding (OLE) merchandise in Microsoft Phrase files.

It turns out, having said that, that the bug that attackers leverage in the campaign is in fact a single that Microsoft patched extra than four many years ago–in 2017, to be exact—but truly had existed some 17 years ahead of that, producing it 22 decades aged now.

As the final act of the attack, scientists identified shellcode saved in the “OLENativeStream” framework at the end of a person of the OLE objects they examined. The code inevitably decrypts a ciphertext that turns out to be much more shellcode, which is then executed just after to guide to an executable identified as fresh.exe that hundreds the Snake Keylogger, scientists observed.


Some parts of this short article are sourced from:
threatpost.com

Previous Post: «fronton: russian iot botnet designed to run social media disinformation Fronton: Russian IoT Botnet Designed to Run Social Media Disinformation Campaigns
Next Post: Yes, Containers Are Terrific, But Watch the Security Risks yes, containers are terrific, but watch the security risks»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • UK’s Most Innovative Cyber SME 2022 Finalists Announced
  • Mark Zuckerberg Sued Over Cambridge Analytica Data Breach
  • Yes, Containers Are Terrific, But Watch the Security Risks
  • Snake Keylogger Spreads Through Malicious PDFs
  • Fronton: Russian IoT Botnet Designed to Run Social Media Disinformation Campaigns
  • Ransomware Hackers Steal Personal Data of 500,000 Students and Staff in Chicago
  • PayPal Pays a Hacker $200,000 for Discovering ‘One-Click-Hack’ Vulnerability
  • Anonymous Declares Cyber-War on Pro-Russian Hacker Gang Killnet
  • Chinese “Twisted Panda” Hackers Caught Spying on Russian Defense Institutes
  • Why don’t we ever hear about ransomware demands in the tens of millions of dollars?

Copyright © TheCyberSecurity.News, All Rights Reserved.