Hackers have found a new way to smuggle malware onto your device

No one suspects a malicious PDF file, do they?

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Cybersecurity researchers fromHPWolf Security have spotted a new cybercrime campaign that leverages PDF files to try and distribute the Snake Keylogger onto vulnerableendpoints.

According to the researchers, the threat actors would first send an email holding the subject line “Remittance Invoice”, to try and trick the victims into thinking they’ll be getting paid for something.

The email would carry an attached PDF file, likely to reassure the victim of the email’s legitimacy, as Word or Excel files are typically suspicious.

Share your thoughts on Cybersecurity and get a free copy of the Hacker’s Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at theend of this surveyto get the bookazine, worth $10.99/£10.99.

Abusing a known flaw

However, a Word document, titled “has been verified”, comes embedded within the PDF. When the victim opens the attachment, they’re greeted with a prompt asking whether or not to open the second file. The message says “The file ‘has been verified’ However PDF, jpeg, xlsx, docx files may contain programs, macros, orviruses.”

This might trick the victim into believing their PDF reader scanned the file and that it’s good to go.

The Word file, expectedly, comes with a macro that, if enabled, will download a rich text format (RTF) file from a remote location, and run it. The file would then try to download the Snake Keylogger,malwaredescribed byBleepingComputeras a “modular info-stealer with powerful persistence, defense evasion, credential access, data harvesting, and data exfiltration capabilities”.

This dangerous new keylogger could change the entire malware space>How to turn off the Windows 10 keylogger enabled by default>This cheeky new malware strain hides in the Windows Registry

The target endpoints still need to be vulnerable to a specific flaw, if the attack is to be successful. Researchers have found that the attackers are trying to leverage CVE-2017-11882, a remote code execution bug in Equation Editor.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

The flaw was patched in November 2017, but not all device administrators keep theiroperating systemsup to date. Allegedly, it was one of the most popular vulnerabilities to exploit in 2018, due to organizations and consumers being relatively slow to patch it up.

Via:BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Cisco issues patch to fix serious flaw allowing possible industrial systems takeover

Washington state court systems taken offline following cyberattack

Sihoo Doro S100 ergonomic office chair review