Snake Keylogger is distributed via malicious PDF files


On March 23, the HPW Wolf Security team discovered a new malicious campaign based on PDF files with an “unusual chain of infection”, including not only a PDF file, but also “several techniques to avoid detection, such as embedding malicious files, downloading remotely hosted exploits and encrypting shell code,” wrote Schlapfer.

As people became aware of malicious Microsoft Office attachments, attackers switched to other methods of deploying malicious macros and evading detection.

According to the HP Wolf Security report, the PDF file was used as a document explorer with malicious macros that downloaded and installed malware to steal information from the victim’s computer.

The PDF file was called an “Invoice,” and the email contained vague promises of payment to the recipient. When opening a PDF file, Adobe Reader suggested that the user open the DOCX file contained inside, which is already unusual and can confuse the victim. Since the threat subject called the attached document “verified”, the “Open File” window says: “The file has been verified”. This message can make the recipient believe in the authenticity and security of the file.

A specialist can check the embedded file in a PDF document using parsers and scripts, but a regular user will not be able to check and will open DOCX in Microsoft Word and, if macros are enabled, an RTF file (rich text format) will be downloaded from a remote resource and opened.

The RTF download is the result of the following command embedded in the Word file along with the specified URL «vtaurl[.]com/IHytw», where the payload is placed.

An RTF document is called «f_document_shp.doc» and contains distorted OLE objects that are not amenable to analysis. According to experts, the campaign is trying to use an old Microsoft Equation Editor vulnerability to run arbitrary code.

The deployed shellcode uses a remote code execution error in Equation Editor CVE-2017-11882, fixed in November 2017, but still available for operation. This vulnerability immediately attracted the attention of hackers, and the subsequent fix made it one of the most frequently used vulnerabilities in 2018. A shellcode in RTF using CVE-2017-11882 downloads and launches Snake Keylogger, a modular identity theft tool with high resilience and protection evasion.

Previously, cybercriminals used a bug in the Microsoft Equation formula editor
to bypass antiviruses. By exploiting a chain of vulnerabilities, attackers could inject
any malware onto a compromised system.

Start a discussion …