Snake Keylogger Spreads Through PDF Files Embedded with DOCX
Cybersecurity researchers have discovered a cybercriminal campaign that uses PDF attachments to install the Snake keylogger on victims’ systems. According to experts, PDF attachments are used much less frequently than DOCX or XLS files in such attacks. The likely reason for choosing this format is that people are becoming more aware of the dangers of carelessly opening Microsoft Office files. As a result, attackers may hope that PDFs will seem more trustworthy to potential victims.
How the Attack Works
In a report by HP Wolf Security, researchers provided an example of how PDFs are used to deliver documents containing malicious macros. The goal of these documents is to install malware on the user’s device that can steal sensitive information.
HP Wolf Security noted that the malicious PDFs are sent via email with the subject line “Remittance Invoice.” The body of the email claims the recipient is owed a payment. When the PDF is opened, Adobe Reader prompts the user to launch a DOCX file embedded within the original document.
This is unusual behavior for PDF files, and an experienced recipient might suspect something is wrong. However, the attackers tried to address this by naming the embedded file “has been verified,” so the user sees a message stating “File verified.”
Tricking the Victim
This approach is designed to make the potential victim believe that Adobe has confirmed the authenticity and safety of the embedded file. Naturally, the embedded DOCX file contains malicious macros, which then download another file in RTF format to the user’s computer.
Experts found that the attackers exploit an old vulnerability in Microsoft Equation Editor (CVE-2017-11882) to execute arbitrary code. This vulnerability was patched back in November 2017.
Final Stage: Snake Keylogger Installation
In the final stage of the attack, the modular Snake keylogger is downloaded onto the victim’s system. This malware collects and sends the victim’s confidential data to the attackers.
Source
Onion Market — a free P2P exchange on Telegram. We support XMR, BTC, and USDT.TRC20.