Skip to content
Whilst most malicious e-mail campaigns use Word documents to hide & spread malware, a recently discovered campaign uses a malicious PDF file, & a 22-year-old Office bug to propagate the Snake Keylogger malware, researchers have found. Microsoft Word was also used in the email campaign.
The campaign was discovered by researchers at HP Wolf Security & aims to con victims with an attached PDF file, purporting to have information about a payment, according to a blog post published Fri. Instead, it loads the info-stealing malware, using some evasion tactics to avoid detection.
Infect Systems
“While Office formats remain popular, this campaign shows how attackers are also using weaponised PDF documents to infect systems,” HP Wolf Security Researcher Patrick Schlapfer wrote in the post, which opined in the headline that “PDF Malware Is Not Yet Dead.”
Attackers using malicious email campaigns have preferred to package malware in Microsoft Office file formats, particularly Word & Excel, for the past decade, Schlapfer stated. In the 1st quarter 2022 alone, nearly half (45%) of malware stopped by HP Wolf Security used Office formats, according to researchers.
“The reasons are clear: users are familiar with these file types, the applications used to open them are ubiquitous, & they are suited to social engineering lures,” he revealed.
File Lure
Whilst the new campaign does use PDF as the file lure, it later uses Microsoft Word to deliver the final payload—the Snake Keylogger, researchers found.
Snake Keylogger is a malware developed using .NET that 1st appeared in late 2020 & is aimed at stealing sensitive information from a victim’s device, including saved credentials, the victim’s keystrokes, screenshots of the victim’s screen, & clipboard data, according to Fortinet.
‘Unusual’ Campaign
The HPW Wolf Security team saw a new PDF-based threat campaign on March 23 with an “unusual infection chain,” involving not just a PDF but also “several tricks to evade detection, such as embedding malicious files, loading remotely-hosted exploits & shellcode encryption,” Schlapfer wrote.
Attackers target victims with emails that include a PDF document named “REMMITANCE INVOICE.pdf” (misspelling intended), as attachment. If someone opens the file, Adobe Reader prompts the user to open a .docx file with a rather strange name, researchers found.
Adobe Reader Prompt
“The attackers sneakily named the Word document “has been verified. However PDF, Jpeg, xlsx, .docx” to make it look as though the file name was part of the Adobe Reader prompt,” explained the post.
The.docx file is stored as an Embedded File object within the PDF, which opens Microsoft Word if clicked on, researchers found. If Protected View is disabled, Word downloads a Rich Text Format (.rtf) file from a web server, which then is run in the context of the open document.
Researchers unzipped the contents of the .rtf—which is an Office Open XML file—finding a URL hidden in the “document.xml.rels” file that is not a legitimate domain found in Office documents, they explained.
17-Year-Old Bug
Connecting to this URL leads to a redirect, & then downloads an RTF document called “f_document_shp.doc. This document contained 2 “not well-formed” OLE objects that revealed shellcode exploiting CVE-2017-11882, which researchers revealed is an “over 4 years-old” remote code execution vulnerability (RCE) in Equation Editor.
Equation Editor is app installed by default, with the Office suite that is used to insert & edit complex equations as Object Linking & Embedding (OLE) items in Microsoft Word documents.
22 Years Old
It seems, however, that the bug that attackers use in the campaign is one that Microsoft patched over 4 years ago–in 2017, but actually had existed 17 years before that, making it 22 years old.
As the final act of the attack, researchers found shellcode stored in the “OLENativeStream” structure at the end of one of the OLE objects they examined. The code eventually decrypts a ciphertext that turns out to be more shellcode, which is then executed after to lead to an executable called fresh.exe that loads the Snake Keylogger, researchers concluded.
