Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label PDF. Show all posts
PDF
APT36 Avast avira cyber espionage HTTP Kaspersky malware PDF

Advanced Malware Campaigns Target Government and Academic Organizations


Cybersecurity researchers have identified ongoing cyber-espionage campaigns targeting government departments, academic institutions, and strategically important organizations across South Asia. The activity has been attributed to two established threat actors, Transparent Tribe and Patchwork, both known for maintaining long-term access to compromised systems.

Transparent Tribe, also tracked as APT36, has been active since at least 2013 and is associated with repeated intelligence-gathering operations against Indian organizations. In its latest campaign, the group used spear-phishing emails carrying ZIP archives that contained Windows shortcut files disguised as legitimate PDF documents. These shortcut files included real PDF content to appear harmless.

When opened, the shortcut launches a hidden process using the Windows utility mshta.exe, which runs an HTML Application script. This script decrypts and loads the final remote access trojan directly into system memory while simultaneously opening a decoy PDF to avoid alerting the victim. The script also interacts with Windows through ActiveX components, such as WScript.Shell, allowing it to analyze the environment and adjust execution behavior.

The malware adapts its persistence strategy based on the antivirus software installed. On systems with Kaspersky, it creates a working directory under C:\Users\Public\core and uses startup shortcuts to relaunch the malicious script. If Quick Heal is detected, it relies on batch files and startup entries. On machines running Avast, AVG, or Avira, the payload is copied directly into the Startup folder. If no recognized antivirus is found, the malware combines batch execution, registry-based persistence, and delayed payload deployment.

A second-stage component includes a malicious DLL named iinneldc.dll, which functions as a fully featured RAT. It allows attackers to remotely control the system, manage files, steal data, capture screenshots, monitor clipboard activity, and manipulate running processes.

Researchers also identified a separate APT36 campaign using a shortcut file disguised as a government advisory PDF. This file retrieves an installer from a remote server, extracts multiple malicious files, displays a legitimate advisory issued by Pakistan’s national CERT, and establishes persistence through registry modifications. One DLL communicates with a hard-coded command-and-control server using reversed strings to hide command endpoints and supports system registration, heartbeat signals, command execution, and anti-virtual-machine checks.

In a related disclosure, researchers linked Patchwork, also known as Maha Grass or Dropping Elephant, to espionage campaigns targeting Pakistan’s defense sector. These attacks used phishing emails with ZIP attachments containing MSBuild project files that abuse msbuild.exe to install a Python-based backdoor. The malware can communicate with command servers, execute Python modules, run commands, and transfer files.

Patchwork has also been associated with a previously undocumented trojan named StreamSpy. Delivered through ZIP archives hosting an executable named Annexure.exe, StreamSpy collects system information, establishes persistence through registry entries, scheduled tasks, or startup shortcuts, and communicates using both WebSocket and HTTP. WebSocket channels are used for command delivery and result transmission, while HTTP handles file transfers. Researchers observed technical similarities between StreamSpy, Spyder, and other malware families, indicating shared infrastructure and continued collaboration among related threat groups.



Read more »
Software
ebooks Encryption malware PDF PowerShell Software

Improved ViperSoftX Malware Distributed Through eBooks

 



Researchers have found new advancements in the ViperSoftX info-stealing malware, which was first discovered in 2020. This malware has become more sophisticated, using advanced techniques to avoid detection. One of its new methods is using the Common Language Runtime (CLR) to run PowerShell commands within AutoIt scripts, which are spread through pirated eBooks. This clever approach helps the malware to hide within normal system activities, making it harder for security software to detect.

How ViperSoftX Spreads

ViperSoftX spreads through torrent sites by pretending to be eBooks. The infection starts when users download a RAR archive that includes a hidden folder, a deceptive shortcut file that looks like a harmless PDF or eBook, and a PowerShell script. The archive also contains AutoIt.exe and AutoIt script files disguised as simple JPG image files. When a user clicks the shortcut file, it sets off a series of commands, starting with listing the contents of “zz1Cover4.jpg.” These commands are hidden within blank spaces and executed by PowerShell, performing various malicious actions.

What the Malware Does

According to researchers from Trellix, the PowerShell code performs several tasks, such as unhiding the hidden folder, calculating the total size of all disk drives, and setting up Windows Task Scheduler to run AutoIt3.exe every five minutes after the user logs in. This ensures the malware remains active on infected systems. Additionally, the malware copies two files to the %APPDATA%MicrosoftWindows directory, renaming them to .au3 and AutoIt3.exe.

A sneaky aspect of ViperSoftX is its use of CLR to run PowerShell within AutoIt, a tool normally trusted by security software for automating Windows tasks. This allows the malware to avoid detection. ViperSoftX also uses heavy obfuscation, including Base64 encoding and AES encryption, to hide commands in the PowerShell scripts extracted from image decoy files. This makes it difficult for researchers and analysis tools to understand what the malware does.

Additionally, ViperSoftX tries to modify the Antimalware Scan Interface (AMSI) to bypass security checks. By using existing scripts, the malware developers can focus on improving their evasion tactics.

The malware's network activity shows it tries to blend its traffic with legitimate system activity. Researchers noticed it uses deceptive hostnames, like security-microsoft[.]com, to appear more trustworthy and trick victims into thinking the traffic is from Microsoft. Analysis of a Base64-encoded User-Agent string revealed detailed system information gathered from infected systems, such as disk volume serial numbers, computer names, usernames, operating system versions, antivirus product information, and cryptocurrency details.

Researchers warn that ViperSoftX is becoming more dangerous. Its ability to perform malicious actions while avoiding traditional security measures makes it a serious threat. As ViperSoftX continues to evolve, it's essential for users to stay alert and use strong security practices to protect their systems from such advanced threats.


Read more »
Phishing Campaigns
Check Point research Cyber Attacks Foxit PDF Reader malware malicious PDF files malware malware delivery PDF Phishing Campaigns

How Attackers Distribute Malware to Foxit PDF Reader Users

 

Threat actors are exploiting a vulnerability in Foxit PDF Reader’s alert system to deliver malware through booby-trapped PDF documents, according to researchers at Check Point.

The researchers have identified several campaigns targeting Foxit Reader users with malicious PDF files. Attackers are utilizing various .NET and Python exploit builders, notably the “PDF Exploit Builder,” to create PDF documents containing macros that execute commands or scripts. These commands download and run malware such as Agent Tesla, Remcos RAT, Xworm, and NanoCore RAT.

"Regardless of the programming language, all builders exhibit a consistent structure. The PDF template used for the exploit includes placeholder text, which is meant to be replaced with the URL for downloading the malicious file once the user provides input," explained the researchers.

Additionally, threat actors are exploiting the fact that some of the pop-up alerts in Foxit Reader make the harmful option the default choice when opening these compromised files.

The first pop-up alert warns users that certain features are disabled to avoid potential security risks, giving them the option to trust the document one time only or always. The default and safer option is the former. However, once the user clicks OK, another alert appears.

Attackers are banking on users ignoring the alert text and quickly accepting the default options, thereby allowing Foxit Reader to execute the malicious command.

Foxit PDF Reader, used by over 700 million people globally, including in government and tech sectors, has been exploited by various threat actors ranging from e-crime to APT groups. These groups have been leveraging this exploit for years, often evading detection by most antivirus software and sandboxes that primarily focus on Adobe PDF Reader.

"The infection success and low detection rate have enabled PDFs to be distributed through unconventional means, such as Facebook, without being intercepted by detection rules," the researchers noted.

Check Point has reported the exploit to Foxit, and the company has announced plans to address it in version 2024 3.

"The proper approach would be to detect and disable such CMD executions. However, based on Foxit's response, they might simply change the default options to 'Do Not Open'," said Antonis Terefos, a reverse engineer at Check Point Research, to Help Net Security.

Efforts to reach Foxit for further comments have yet to receive a response.
Read more »
Subscribe to: Comments (Atom)