Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label PDF malware. Show all posts
PDF malware
cyberattacks trending news malware News PDF malware

Multiplatform Malware Campaign Uses PDF Invoices to Deploy Java-Based RAT

 

A new wave of cyberattacks is sweeping across digital infrastructures globally, leveraging weaponised PDF invoices to infiltrate systems with a sophisticated Java-based Remote Access Trojan (RAT). Security researchers from Fortinet have identified a multi-stage, evasive malware campaign targeting Windows, Linux, and macOS devices, exploiting the cross-platform capabilities of Java to establish remote control over compromised machines. 

The attack chain begins with phishing emails that appear to contain legitimate invoice attachments. These emails pass domain authentication checks—such as SPF validation—by misusing the serviciodecorreo.es mail service, which is permitted to send messages on behalf of numerous domains. The attached PDF lures recipients with urgent invoice-related messaging, prompting them to click embedded buttons that lead to the next stage of infection. 

Once a user interacts with the PDF, they are redirected to a Dropbox-hosted HTML file titled “Fattura”—the Italian word for “invoice.” This file prompts a basic CAPTCHA check before further redirecting the victim to a URL generated by Ngrok, a legitimate tunneling service often abused to conceal malicious activity. 

What makes this campaign particularly difficult to detect is its use of geolocation filtering. Depending on the user’s IP address, the final content differs: users located in Italy receive a Java Archive (JAR) file camouflaged under generic filenames such as “FA-43-03-2025.jar,” while users from other regions are shown an innocuous Google Drive document containing a non-malicious invoice from an entity named Medinova Health Group. This strategy effectively thwarts email security platforms that scan links from centralised cloud environments, which often lack region-specific browsing behaviour. 

If the user downloads and runs the JAR file, a Java-based Remote Access Trojan known as RATty is deployed. This malware allows attackers to execute remote commands, log keystrokes, capture screenshots, access files, and even control webcams and microphones. By exploiting the Java Runtime Environment (JRE), the RAT functions across operating systems, significantly broadening its potential victim base. To further evade detection, the campaign uses trusted platforms like Dropbox and MediaFire to host malicious components. Additionally, Ngrok’s dynamic tunneling service helps the attackers disguise their infrastructure, making attribution and blocking more difficult. 

The attackers have also conducted reconnaissance to identify vulnerable domains, optimising their strategy for maximum penetration and persistence. Security experts warn that the use of such multilayered and cross-platform infection techniques reflects the growing sophistication of threat actors. The campaign not only highlights the critical need for advanced threat detection systems but also reinforces the importance of user awareness, particularly around email-based social engineering tactics. 

Organisations are urged to ensure their endpoint protection tools are updated and to consider restricting the execution of Java applications from unknown sources. Furthermore, robust geofencing-aware email filtering and sandboxing solutions could help in flagging such targeted, region-specific attacks before they escalate.
Read more »
Subscribe to: Posts (Atom)