Snake Keylogger Spreads Through Malicious PDFs

When most destructive e-mail campaigns use Phrase documents to disguise and spread malware, a not too long ago found campaign utilizes a destructive PDF file and a 22-12 months-aged Place of work bug to propagate the Snake Keylogger malware, scientists have observed.

The campaign—discovered by scientists at HP Wolf Security—aims to dupe victims with an hooked up PDF file purporting to have facts about a remittance payment, in accordance to a weblog publish revealed Friday. In its place, it loads the facts-stealing malware, utilizing some difficult evasion techniques to prevent detection.

“While Office environment formats continue to be common, this campaign displays how attackers are also applying weaponized PDF paperwork to infect systems,” HP Wolf Security researcher Patrick Schlapfer wrote in the put up, which opined in the headline that “PDF Malware Is Not However Useless.”
Certainly, attackers using destructive email campaigns have most well-liked to offer malware in Microsoft Workplace file formats, notably Term and Excel, for the past decade, Schlapfer mentioned. In the initially quarter of 2022 alone, just about fifty percent (45 percent) of malware stopped by HP Wolf Security utilised Place of work formats, according to researchers.

“The factors are very clear: buyers are common with these file types, the programs employed to open up them are ubiquitous, and they are suited to social engineering lures,” he wrote.

However, when the new marketing campaign does use PDF in the file lure, it afterwards employs Microsoft Word to supply the greatest payload—the Snake Keylogger, scientists observed. Snake Keylogger is a malware formulated employing .NET that first appeared in late 2020 and is aimed at thieving delicate info from a victim’s machine, which includes saved credentials, the victim’s keystrokes, screenshots of the victim’s display screen, and clipboard information, according to Fortinet.

‘Unusual’ Marketing campaign

The HPW Wolf Security team seen a new PDF-based mostly threat campaign on March 23 with an “unusual infection chain,” involving not just a PDF but also “several tricks to evade detection, this sort of as embedding malicious data files, loading remotely-hosted exploits and shellcode encryption,” Schlapfer wrote.

Attackers concentrate on victims with e-mail that contain a PDF document named “REMMITANCE Invoice.pdf”—misspelling intended–as attachment. If an individual opens the file, Adobe Reader prompts the person to open a .docx file with a instead curious identify, scientists identified.

“The attackers sneakily named the Word document “has been confirmed. Nevertheless PDF, Jpeg, xlsx, .docx” to make it glance as though the file name was element of the Adobe Reader prompt,” in accordance to the put up.

The.docx file is stored as an EmbeddedFile item in the PDF, which opens Microsoft Term if clicked on, researchers identified. If Secured View is disabled, Term downloads a Abundant Textual content Format (.rtf) file from a web server, which then is run in the context of the open doc.

Scientists unzipped the contents of the .rtf—which is an Workplace Open up XML file—finding a URL hidden in the “document.xml.rels” file that is not a reputable domain observed in Office environment files, they mentioned.

17-Yr-Aged Bug Exploited

Connecting to this URL prospects to a redirect and then downloads an RTF document identified as “f_doc_shp.doc. This doc contained two “not effectively-formed” OLE objects that unveiled shellcode exploiting  CVE-2017-11882, which scientists mentioned is an “over 4-decades-old” remote code execution vulnerability (RCE) in Equation Editor.

Equation Editor is app mounted by default with the Business suite which is made use of to insert and edit complicated equations as Item Linking and Embedding (OLE) things in Microsoft Term files.

It turns out, nonetheless, that the bug that attackers leverage in the marketing campaign is basically a person that Microsoft patched far more than four many years ago–in 2017, to be exact—but in fact experienced existed some 17 many years ahead of that, earning it 22 years old now.

As the ultimate act of the attack, researchers discovered shellcode saved in the “OLENativeStream” framework at the conclusion of one of the OLE objects they examined. The code at some point decrypts a ciphertext that turns out to be additional shellcode, which is then executed immediately after to direct to an executable known as fresh new.exe that loads the Snake Keylogger, scientists found.