Threat researchers have found a new malware distribution operation that uses PDF attachments to sneak infected Word documents onto users’ devices. The use of PDFs is rare, as most phishing emails today include DOCX or XLS files loaded with malware-loading macro code.
Threat actors are switching to different techniques to install harmful macros and elude detection as users grow more aware of opening fraudulent Microsoft Office files. In a new report from HP Wolf Security, researchers show how PDFs are being exploited as a transport for documents containing malicious macros that download and install information-stealing malware on victims’ devices.
The PDF coming through email in a campaign observed by HP Wolf Security is called “Remittance Invoice.” A common hypothesis is that the email body offers vague assurances of payment to the recipient. When the PDF is accessed, Adobe Reader invites the user to open a DOCX file contained therein, which is uncommon and may cause the victim to become confused.
Since the threat actors labeled the embedded document “has been verified,” the Open File prompt says, “The file has been verified.” This message may lead users to believe that Adobe has authenticated the file and that it is safe to open. Though malware investigators can use parsers and scripts to investigate embedded PDF files, most average users wouldn’t go that far or even know where to begin.
As a result, many people will open the DOCX in Microsoft Word and, if macros are allowed, will download and open an RTF (rich text format) file from a remote location. The following command is inserted in the Word file, coupled with the hardcoded URL “vtaurl[.]com/IHytw,” which is where the payload is hosted to download the RTF.
The RTF file is called “f_document_shp.doc” and contains faulty OLE objects likely to elude detection. HP’s experts discovered that it is attempting to launch arbitrary code by exploiting an outdated Microsoft Equation Editor vulnerability. The shellcode used in the attack targets CVE-2017-11882, a remote code execution flaw in Equation Editor addressed in November 2017 but is still exploitable in the wild.
When the weakness was revealed, hackers quickly noticed it, and the sluggish patching that followed led to it becoming one of the most abused vulnerabilities of 2018. The RTF shellcode downloads and executes Snake Keylogger, a modular info-stealer with powerful persistence, defense evasion, credential access, data harvesting, and data exfiltration capabilities, by attacking CVE-2017-11882.