Hackers Use Weaponized PDF Files to Deliver Byakugan Malware on Windows

Resulting from their high level of belief and recognition, hackers continually utilize weaponized PDF recordsdata as assault vectors.

Even PDFs can have wicked codes or exploits that abuse the flaws in PDF readers.

Once this malicious PDF is opened by a particular person unaware of it, the payload runs and infiltrates the plan.

Cybersecurity researchers at Fortinet no longer too long ago identified that hackers had been actively using weaponized PDF recordsdata to ship Byakugan malware.

Technical prognosis

FortiGuard Labs realized a Portuguese PDF file distributing the multi-purposeful Byakugan malware in January 2024.

The malicious PDF suggestions of us into clicking a link by presenting a blurred table.

This in turn prompts a downloader that puts a reproduction (requires.exe) and takes down DLL for DLL-hijacking.

This runs require.exe to retrieve the fundamental module (chrome.exe). In notify, the downloader behaves otherwise when known as require.exe in temp on yarn of malware evasion is evident.

Infection waft (Source - Fortinet) — Infection waft (Source – Fortinet)

A blurred table is displayed on the victims’ screens, prompting them to click on a link that allows them to bag a DLL for DLL-hijacking and tumble a reproduction (require.exe) that starts a downloader.

Doc

Bustle Free ThreatScan on Your Mailbox

AI-Powered Safety for Industry Email Security

Trustifi’s Developed menace safety prevents the widest spectrum of subtle assaults sooner than they attain a particular person’s mailbox. Strive Trustifi Free Threat Scan with Sophisticated AI-Powered Email Safety .

To get dangle of the fundamental module (chrome.exe), require.exe is escape.

However, its behavior a tiny bit varies reckoning on whether or no longer it has been renamed or no longer whereas being placed in the temp folder, which signifies its evasiveness.

The login web page (Source - Fortinet) — The login web page (Source – Fortinet)

Right here is a node.js malware equipment that would be accomplished using pkg. It comprises the fundamental script and about a feature libraries.

In line with a Fortnet file shared with Cyber Security Info, downloading extra recordsdata from the %APPDATA%ChromeApplication folder, which is malware-generated knowledge, also demonstrates its adaptability and persistence.

Byakugan aspects

Right here below, now we own mentioned the total aspects of Byakugan:-

Veil display screen
Veil hang
Miner
Keylogger
File manipulation
Browser knowledge stealer
Anti-prognosis
Persistence

It is phase of an rising vogue to merge malicious components in malware, making it exhausting for them to be precisely identified because of this of increased noise.

The downloaded recordsdata, although, showed some important issues about how Byakugan works inner, making it more straightforward to analyze the wicked modules of the Trojan.

IoCs

Git repository

github[.]com/thomasdev33k
github[.]com/fefifojs
github[.]com/wonderreader

C2 Server

blamefade.com[.]br
thinkforce.com[.]be

Files

PDF

c7dbb5e9e65a221a5f78328b5a6141dd46a0459b88248e84de345b2a6e52b1d9

c6fe9169764301cadccb252fbed218a1a997922f0df31d3e813b4fe2a3e6326d

c9a27dbae96afb7d083577d30b2947c8ba9d1a6cb7e10e5f259f0929ef107882

exe

9ef9bbfce214ee10a2e563e56fb6486161c2a623cd91bb5be055f5745edd6479

4d8eac070b6b95f61055b96fb6567a477dbc335ef163c10514c864d9913d23cb

30991c9cac5f4c5c4f382f89055c3b5e9bb373c98ce6a5516d06db3f8a478554

Source credit : cybersecuritynews.com

cyber security cyber security news