Search This Blog

Showing posts with label PDFs. Show all posts

PDF Smuggles Microsoft Word Doc to Deliever Snake Keylogger Malware

 

Threat researchers have found a new malware distribution campaign that uses PDF attachments to transport infected Word documents into users' computers. Most phishing emails today include DOCX or XLS attachments loaded with malware-loading macro code, thus the use of PDFs is unusual. Threat actors are switching to different methods to install harmful macros and escape identification as users grow more aware of opening fraudulent Microsoft Office attachments. 

In a new report by HP Wolf Security, researchers show how PDFs are being exploited as a transport for documents containing malicious macros that download and install information-stealing malware on victims' devices. The PDF arriving through email in a campaign seen by HP Wolf Security is called "Remittance Invoice," and the guess is that the email body contains vague assurances of payment to the recipient. 

When the PDF is accessed, Adobe Reader prompts the user to open a DOCX file contained therein, which is unusual and may cause the victim to become confused. "The file 'has been verified," says the Open File prompt, because the threat actors named the embedded document "has been verified." This message may lead recipients to believe that Adobe has authenticated the file and that it is safe to open. While malware investigators can use parsers and scripts to investigate embedded files in PDFs, most average users wouldn't go that far or even know where to begin. 

As a result, many people will open the DOCX in Microsoft Word and, if macros are allowed, will download and open an RTF (rich text format) file from a remote location. The command is inserted in the Word file, coupled with the hardcoded URL "vtaurl[.]com/IHytw," which is where the payload is hosted, to download the RTF. 

Attacking old RCE

The RTF file is called "f_document_shp.doc" and contains faulty OLE objects that are likely to elude detection. HP's experts discovered that it attempts to exploit an outdated Microsoft Equation Editor vulnerability to execute arbitrary code. The shellcode used in the attack targets CVE-2017-11882, a remote code execution flaw in Equation Editor that was addressed in November 2017 but is still exploitable in the wild. 

When the flaw was revealed, hackers were quick to notice it, and the sluggish patching that followed led to it becoming one of the most abused vulnerabilities in 2018. The RTF shellcode downloads and runs Snake Keylogger, a modular info-stealer with powerful persistence, defence evasion, credential access, data harvesting, and data exfiltration capabilities, by exploiting CVE-2017-11882.

Top Israeli Officials Duped by Bearded Barbie Hackers

 

Cybercriminals appear to be aggressively promoting the Remcos RAT that first appeared in hacking forums in 2016 and was marketed sold, and offered cracks on a variety of websites and forums. In 2017, researchers discovered Remcos being distributed via a malicious PowerPoint slideshow with a CVE-2017-0199 exploit. Remcos RAT is a piece of commercial software which may be purchased online. 

An "elaborate effort" targeting high-profile Israeli individuals working in critical defense, law enforcement, and emergency services sectors has been traced to a threat actor associated with Hamas' cyber warfare section. The Hamas-backed hacker outfit dubbed 'APT-C-23' was discovered catfishing Israeli officials in defense, law enforcement, and government institutions, resulting in the deployment of new malware. 

Before delivering spyware, the campaign uses advanced social engineering techniques like creating phony social media identities and maintaining a strong partnership with the targets. AridViper has previously targeted Palestinian law enforcement, military, or educational institutions, as well as the Israel Security Agency, with spear-phishing assaults (ISA). Researchers from Cisco Talos discovered AridViper assaults against activists involved in the Israel-Palestine conflict in February.

Malicious actors have built several phony Facebook pages utilizing forged credentials and pirated or AI-generated photographs of attractive women, and have used these profiles to approach their targets. The operators have spent months curating these profiles to make them appear legitimate, posting in Hebrew and alike organizations and prominent pages in Israel. The creators of these profiles create a network of friends who are actually people who work in Israel's police, defense forces, emergency services, or government. The opponents recommend transferring the chat to WhatsApp, ostensibly for more privacy, after building the target's trust by talking with individuals for a while. 

The Android app is actually the virus VolatileVenom.The icon is concealed on pre-Android 10 devices; with Android 10, the virus utilizes the Google Play installation icon. When the victim tries to sign into the Wink Chat, an error message appears, stating the app will be deleted. With a wide spectrum of espionage capabilities, VolatileVenom continues to function in the background. 

The malicious actors will eventually email the target a RAR file containing supposedly explicit photographs or videos as part of the catfishing attempts. This RAR file, on the other hand, contains the Barb(ie) installer malware, which installs the BarbWire backdoor. The filename of a sample of Barb(ie) detected by Cybereason is "Windows Notifications," and when it is made to run, it performs basic anti-analysis checks. If the host is deemed appropriate, the downloader links to an integrated C2 server. 

The BarbWire Backdoor is sent by the C2 server. The downloader contains a backup technique for finding a different C2. If the attackers need to modify the C2 from the one inserted, they can simply send an SMS message with the new destination. All inbound SMS messages are intercepted by the downloader. If one is provided by the intruders, it can just extract the new C2 information and install the backdoor. BarbWire steals data from PDFs, Office files, archives, picture files, movies, and photos, among other file types. It also checks for external media, such as a CD-ROM file, implying it's hunting for highly sensitive material which is carried around physically or over the internet. The stolen information is stored in a RAR archive and then sent to the attackers' C2 server. 

APT-C-23 employs several approaches which have been used in previous operations against Israeli targets, but it is constantly evolving with new tools and more intricate social engineering efforts. The lack of overlapping infrastructure distinguishes Operation Bearded Barbie from past missions, indicating the group's goal of avoiding notice. Another escalation for the threat actor is the usage of two backdoors, one for Windows and one for Android, resulting in very active espionage for the compromised targets.

After 17 years, the Zlib Crash-An-App Flaw Has Been Patched

 

Four years after the vulnerability was first found but left unpatched, the widely used Zlib data-compression library now has a patch to close a vulnerability that might be abused to crash apps and services. Tavis Ormandy, a bug hunter for Google Project Zero, informed the Open-Source-Software-Security mailing list about the programming error, CVE-2018-25032, which he discovered while trying to figure out what caused a compressor crash. 

"We reported it upstream, but it turns out the bug is already public since 2018, but the update never made it into a release. As far as they are aware, no CVE has ever been assigned to it." Ormandy stated. Furthermore, when Eideticom's Danilo Ramos discovered the defect in April 2018, it was 13 years old, implying this bug had been lurking for 17 years, waiting to be exploited. 

Zlib is a data-compression general-purpose library that is free, and legally unencumbered (i.e., not covered by any patents). It can be used on nearly any computer hardware and operating system. Anyone who has ever used softwares like PKZIP, WinRAR, 7-Zip, or any archiving utilities will attest to how data compression software has always been useful.

The primary goal of data compression is to save space, such as by reducing the amount of storage space required for backups or reducing data transfer bandwidth. Despite the computational overhead of squashing and expanding data before and after storing or sending it, compression frequently saves time and space by reducing the amount of data that must be moved back and forth between a fast storage location like RAM (memory) and a slow storage location like a disc, tape, or network. 

The patch was never included in a Zlib software update, and Ormandy showed a proof-of-concept exploit which works against both default and non-default compression schemes supported by the library just a few days after discovering the problem. This means any attempt to unpack maliciously designed compressed data may cause an application or network service to crash. 

In a nutshell, this is a memory corruption flaw: if user-supplied data is particularly formatted, software that relies on Zlib to compress it can crash and terminate due to an out-of-bounds write. The open-source Zlib is so extensively used that there are plenty of potential avenues for exploitation, which is why this problem is such a huge deal, in contrast to its nearly two-decade history. Zlib's algorithm, DEFLATE, which became an internet standard in 1996, is used to squash and expand data in a variety of file formats and protocols, and the software it handles these inputs to, will almost certainly use zlib. 

According to Sophos, these programs include Firefox, Edge, Chromium, and Tor, as well as the PDF reader Xpdf, video player VLC, Word and Excel compatible software LibreOffice, and picture editor GIMP. The Zlib problem, which was first discovered in 1998, enables data in a pending buffer to corrupt a distance symbol table. Out-of-bounds access can cause the program to crash and even create a denial of service. 

Users should install a non-vulnerable version of the zlib shared library, which they can usually get from the OS maker by downloading the latest updates, and developers should make sure the software packages don't rely on a vulnerable version of the reliance, pushing out app or service updates as needed.

SolarMarker Malware Utilize Cutting-Edge Techniques


The SolarMarker data thief and gateway operators have been identified using devious Windows Registry ways to maintain long-term persistence on infected systems, indicating that the malicious actors are constantly changing strategy and improving defensive mechanisms.

The. NET-based malware, which boasts data harvesting and backdoor capabilities, has been linked to at least three consecutive attack waves in 2021. The first batch revealed in April, employed search engine poisoning to trick business executives by visiting dodgy Google pages which downloaded SolarMarker on users' PCs. In August, the malware was discovered to be stealing accounts and sensitive information from the healthcare and education sectors.

In the following infection chains revealed by Morphisec in September 2021, the usage of MSI installers to assure malware dissemination was observed. SolarMarker's technique begins with users being directed to decoy sites with drop MSI installer payloads which, while downloading ostensibly legitimate software like Adobe Acrobat Pro DC, Nitro Pro, or Wondershare PDFelement, really launch a PowerShell script.

According to cybersecurity firm Sophos, which noticed the new behavior, despite the operation's end in November 2021, remote management implants are still located on targeted networks."Such SEO efforts, which blended Google Groups consultations with deceitful web pages and PDF documents hosted on infected sites, are beneficial, the SolarMarker lures were ordinarily at or near the top of the search engines for phrases the SolarMarker actors targeted," said Sophos researchers Gabor Szappanos and Sean Gallagher. 

To assure persistence, the PowerShell installer modifies the Registry Entries and drops a.LNK file into Windows' starting directory. This unlawful alteration causes the malware to be delivered from an encrypted payload concealed behind a "smokescreen" of 100 to 300 garbage files built particularly for this purpose.

The researchers explained, "Usually, one might assume this associated file to be an operable or script file." "However, the linked file for these SolarMarker operations is one of the random trash files, therefore cannot be performed by itself."

Furthermore, the linked junk file's unique and random file extension is used to build a custom file type key, which is then used to run an Executable from the Registry to run the malware during system startup. The backdoor, on the other hand, is constantly growing, with features that allow it to capture information from online browsers, facilitate bitcoin theft, and run arbitrary instructions and programs, with the results being sent to a remote server.

The backdoor is continually being updated with new capabilities that make it possible to steal data from the web browsers, ease bitcoin theft, and execute arbitrary commands and applications with the results related to a remote server. 

Malware through PDF Attachments..?





A recent malicious campaign discovers the delivery of PDF documents to the users as an attachment through phishing messages in order for them to download a malicious Android executable file.

The PDFs utilize various ways such as “To open this document, update the adobe reader” or “To unlock this document press below button" to grab the user's attention. At the point when the user finally perform the requested click activity on that document, a malevolent APK (Android executable) file is downloaded from a link that was present in that PDF, which further downloads original Adobe Reader.


This malware additionally has the ability to peruse contacts, read, the browser bookmarks, and key-logging and to inhibit the background processes.

It distinguishes whether the phone is rooted or non-rooted and proceeds accordingly at the same time gathering information on the longitude and latitude  data while tracking SMS notifications and call status'  and then sending the information to the servers controlled by the attackers.


It is therefore recommended for the users to abstain from downloading applications from the third-party application stores or links and other connections given in SMSs or emails. Also to avoid opening mails and attachments from obscure sources and to dependably keep 'Unknown Sources' disabled as enabling this option permits the installation certain applications from obscure sources.

But more importantly, to keep the device OS and mobile security application always updated in order to protect their privacy.