Hackers keep showing ingenuity to find ways to infiltrate users PC and infect it with terrible malware. Computer security researchers at HP Wolf Security have detected a new malicious campaign centered around a simple PDF file.
When it comes to finding effective ways to infect users’ PCs and smartphones, hackers are imaginative. There is no shortage of recent examples, such as this malware which attacks an unusual place in the system, know the event handler of the OS.
We also remember this malware that works even when the iPhone is off, in particular by exploiting the Lower Power Mode. On this Monday, May 23, 2022, it is the turn of computer security researchers from HP Wolf Security to report a disturbing discovery.
A simple PDF to transfer malware
Indeed, these experts have detected a new malicious campaign, centered around a simple PDF file. First, the threat actors send an email with the subject reimbursement of medical or other expenses. The goal is to make the victims believe that they will receive money.
The email in question contains a PDG file as an attachment, in order to reassure the victim of its legitimacy, the World or Excel files being generally considered suspicious by the greatest number. However, a Word document called “Has been verified” is integrated into the PDF. When the victim opens the PDF for the first time, he is prompted to open this second document.
“The message says The file has been verified. However, PDG, jpeg, xlsx, docx files may contain programs, macros or viruses”, remind the experts of HP Wolf Security. As one might suspect, the Word file contains a macro which once activated downloads an RTF file (Rich Text Format) from a remote location and runs it.
Also read: DHL scam – beware, hackers pretend to be the delivery service to empty your bank account
Hackers are exploiting a flaw from 2017
The gift is rather poisoned since this file will then download in turn Snake Keyloggera particularly virulent piece of malware known as “a modular information stealer with powerful persistence, defense bypass, credential access, data collection and exfiltration capabilities”.
As the researchers point out, however, one condition remains for the attack to work. hackers must target only endpoints vulnerable to a specific flaw, CVE-2017-11882. This vulnerability, patched in November 2017, allows remote code execution via the Equation Editor, a World module that has since been removed. Unfortunately, many professional PCs are still at the mercy of this flaw.
Source : TechRadar
