Threat researchers have found a new malware distribution campaign that uses PDF attachments to transport infected Word documents into users' computers. Most phishing emails today include DOCX or XLS attachments loaded with malware-loading macro code, thus the use of PDFs is unusual. Threat actors are switching to different methods to install harmful macros and escape identification as users grow more aware of opening fraudulent Microsoft Office attachments.
In a new report by HP Wolf Security, researchers show how PDFs are being exploited as a transport for documents containing malicious macros that download and install information-stealing malware on victims' devices. The PDF arriving through email in a campaign seen by HP Wolf Security is called "Remittance Invoice," and the guess is that the email body contains vague assurances of payment to the recipient.
When the PDF is accessed, Adobe Reader prompts the user to open a DOCX file contained therein, which is unusual and may cause the victim to become confused.
"The file 'has been verified," says the Open File prompt, because the threat actors named the embedded document "has been verified." This message may lead recipients to believe that Adobe has authenticated the file and that it is safe to open. While malware investigators can use parsers and scripts to investigate embedded files in PDFs, most average users wouldn't go that far or even know where to begin.
As a result, many people will open the DOCX in Microsoft Word and, if macros are allowed, will download and open an RTF (rich text format) file from a remote location.
The command is inserted in the Word file, coupled with the hardcoded URL "vtaurl[.]com/IHytw," which is where the payload is hosted, to download the RTF.
Attacking old RCE
The RTF file is called "f_document_shp.doc" and contains faulty OLE objects that are likely to elude detection. HP's experts discovered that it attempts to exploit an outdated Microsoft Equation Editor vulnerability to execute arbitrary code.
The shellcode used in the attack targets CVE-2017-11882, a remote code execution flaw in Equation Editor that was addressed in November 2017 but is still exploitable in the wild.
When the flaw was revealed, hackers were quick to notice it, and the sluggish patching that followed led to it becoming one of the most abused vulnerabilities in 2018.
The RTF shellcode downloads and runs Snake Keylogger, a modular info-stealer with powerful persistence, defence evasion, credential access, data harvesting, and data exfiltration capabilities, by exploiting CVE-2017-11882.
