HP Threat analysts have discovered a recent malware distribution campaign using PDF attachments to smuggle malicious Word documents that infect users with malware.
Most malicious emails today arrive with DOCX or XLS attachments laced with malware-loading macro code. PDFs choices are unusual.
Embedding Word in PDFs
In a campaign seen by HP Wolf Security, the PDF arriving via email is named “Remittance Invoice,” and When the PDF is opened, Adobe Reader prompts the user to open a DOCX file contained inside, which looks strange and might confuse the victim.
Threat actors named the embedded document “has been verified,” the Open File prompt below states, “The file ‘has been verified.” This message could trick recipients into believing that Adobe verified the file as legitimate and that the file is safe to open.
Analyzing the PDF file reveals that the .docx file is stored as an embedded file object.
If we return to our PDF document and click on “Open this file” at the prompt, Microsoft Word opens. If Protected View is disabled, Word downloads a Rich Text Format (.rtf) file from a web server, which is then run in the context of the open document.
The download of the RTF is the result of the following command, embedded in the Word file along with the hardcoded URL “vtaurl[.]com/IHytw”, which is where the payload is hosted.
Exploiting old RCE
The RTF document is named “f_document_shp.doc” and contains malformed OLE objects, likely to evade analysis. After some targeted reconstruction, HP’s analysts found that it attempts to abuse an old Microsoft Equation Editor vulnerability to run arbitrary code.
The deployment of shellcode exploits CVE-2017-11882, a remote code execution bug in Equation Editor fixed in November 2017 but still available for exploitation in the wild. while the slow patching that followed resulted in it becoming one of the most exploited vulnerabilities in 2018.
Also Read: Latest Cyber Security News – Hacker News !
By exploiting CVE-2017-11882, the shellcode in the RTF downloads and runs Snake Keylogger, a modular info-stealer with powerful persistence, defense evasion, credential access, data harvesting, and data exfiltration capabilities.
has been verified. however pdf, jpeg, xlsx, .docx
fresh.exe (Snake Keylogger)
External OLE reference URL
External OLE reference final URL
Snake Keylogger payload URL
Snake Keylogger exfiltration via SMTP