Hackers Weaponize PDF Files to Deliver Multiple Ransomware Variants
PDF files are frequently outdated for his or her versatility, making them a prime purpose for malware provide attributable to they’ll embed malicious scripts or hyperlinks.
Their frequent employ and relied on popularity form users more inclined to opening contaminated PDFs without files or intent.
Cybersecurity analysts at AhnLab Security Emergency Response Heart (ASEC) beget came right through that hackers are actively the employ of PDF files as a provide advance for quite loads of ransomware variants.
The hackers distributed weaponized PDF files that contained malicious URLs.
Hackers Weaponize PDF Files
A malicious URL also could presumably maybe even be accessed by clicking on buttons in PDFs. The presented show cover prompts users, and clicking on the red buttons takes them to an even URL.
Right here under, we beget mentioned the URL:-
- hxxps://fancli[.]com/21czb7
The hyperlink redirects to a URL with a blue download button. After downloading an encrypted file, users are redirected to a web page the set the decryption password is published.
Right here under, we beget mentioned the redirected URL:-
- hxxps://pimlm[.]com/c138f0d7e1c8a70876e510fcbb478805FEw1MBufh9gLOVv4erOokBCFouvPxBIEeH3DBT3gv3
After downloading, the web page prompts users to decompress the encrypted file with the password ‘1234.’ Upon decompression of ‘Setup.7z,’ users get hold of the executable file, “File.exe.”
Is Your Storage & Backup Systems Fully Protected? – Watch 40-second Tour of SafeGuard
StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities right through hundreds of storage and backup gadgets.
Executing File.exe as administrator changes the registry and makes employ of browser login credentials to get IP and scheme files. After that, extra malware is downloaded to the designated scheme:-
- C:Customers%USERNAME%Photos
- C:Customers%USERNAME%PhotosMinor Policy
Right here under, we beget mentioned the contents of the downloaded malware:-
- Ransomware
- PUP
- Infostealers
- Droppers
Execution trek with the circulation
About a of the downloaded files had hidden and gadget properties scheme. The trek with the circulation begins from a PDF with a malicious URL, leading to the download and execution of varied malware types.
The malicious file, “bus50.exe” from the next scheme is an SFX file containing a CAB file, and executing the SFX file creates malicious files within the ‘IXP000.TMP’ folder:-
- hxxp://109.107.182[.]2/creep/bus50.exe
SFX files that advance after one another impress directories that non-public increasingly files, totaling-
- 6 SFX files
- 7 extra malware
As a recommendation, researchers suggested to handbook clear of downloading cracks and illegal programs and no longer most productive that, even right during the execution of files, guarantee to exercise solid warning.
IOC
Hash (MD5)
- d97fbf9d6dd509c78308731b0e57875a (PDF)
- 9ce00f95fb670723dd104c417f486f81 (File.exe)
- 3837ff5bfbee187415c131cdbf97326b (SFX)
- 7e88670e893f284a13a2d88af7295317 (RedLine)
In finding URLs
- hxxps://vk[.]com/doc493219498_672808805?hash=WbT8ERQ6JqZtcpYqYQ1dqT20VUT6H55UBeZPohjBEcL&dl=OZT9YtCLo5wh0Asz409V6q2waoA5QzfpbHWRNw1XuN4&api=1&no_preview=1
- hxxp://171.22.28[.]226/download/Companies.exe
- hxxp://109.107.182[.]2/creep/bus50.exe
- hxxp://albertwashington[.]icu/timeSync.exe
- hxxps://experiment[.]pw/setup294.exe
- hxxps://sun6-22.userapi[.]com/c909518/u493219498/docs/d15/e2be9421af16/crypted.bmp?extra=B1RdO-HpjVMqjnLdErJKOdzrctd5D25TIZ1ZrBNdsU03rpLayqZ7hZElCroMxCocAIAu5NtmHqMC_mi0SftWWlSiCt45Em-FJQwMgKimJjxdYqtQzgUWp3F9Fo0vrbdrH_15KJlju51Y3LM
Secures your storage & backup systems With StorageGuard – Watch a 40-second Video Tour.
Source credit : cybersecuritynews.com