Cybersecurity researchers from HP Wolf Security have spotted a new cybercrime campaign that leverages PDF files to try and distribute the Snake Keylogger onto vulnerable endpoints.
According to the researchers, the threat actors would first send an email holding the subject line “Remittance Invoice”, to try and trick the victims into thinking they’ll be getting paid for something.
The email would carry an attached PDF file, likely to reassure the victim of the email’s legitimacy, as Word or Excel files are typically suspicious.
Abusing a known flaw
However, a Word document, titled “has been verified”, comes embedded within the PDF. When the victim opens the attachment, they’re greeted with a prompt asking whether or not to open the second file. The message says “The file ‘has been verified’ However PDF, jpeg, xlsx, docx files may contain programs, macros, or viruses(opens in new tab).”
This might trick the victim into believing their PDF reader scanned the file and that it’s good to go.
The Word file, expectedly, comes with a macro that, if enabled, will download a rich text format (RTF) file from a remote location, and run it. The file would then try to download the Snake Keylogger, malware (opens in new tab)described by BleepingComputer as a “modular info-stealer with powerful persistence, defense evasion, credential access, data harvesting, and data exfiltration capabilities”.
The target endpoints still need to be vulnerable to a specific flaw, if the attack is to be successful. Researchers have found that the attackers are trying to leverage CVE-2017-11882, a remote code execution bug in Equation Editor.
The flaw was patched in November 2017, but not all device administrators keep their operating systems up to date. Allegedly, it was one of the most popular vulnerabilities to exploit in 2018, due to organizations and consumers being relatively slow to patch it up.