Hackers Weaponize PDF Files to Deliver Multiple Ransomware Variants

by Esmeralda McKenzie
Hackers Weaponize PDF Files to Deliver Multiple Ransomware Variants

Hackers Weaponize PDF Files to Deliver Multiple Ransomware Variants

Hackers Weaponize PDF Files

PDF files are frequently outdated for his or her versatility, making them a prime purpose for malware provide attributable to they’ll embed malicious scripts or hyperlinks.

Their frequent employ and relied on popularity form users more inclined to opening contaminated PDFs without files or intent.

Cybersecurity analysts at AhnLab Security Emergency Response Heart (ASEC) beget came right through that hackers are actively the employ of PDF files as a provide advance for quite loads of ransomware variants.

The hackers distributed weaponized PDF files that contained malicious URLs.

Hackers Weaponize PDF Files

A malicious URL also could presumably maybe even be accessed by clicking on buttons in PDFs. The presented show cover prompts users, and clicking on the red buttons takes them to an even URL.

CB 0Rkb2v1ypF5xeLzd6wHu4mJ36D0jqyRLwSXgsIp1CCyng9deU3pwaEfml v4tdJ9IQkhKdoMlfEM0ZU1gy7RAkAkaSUCuyq6U9hpKyTfaL7AToeaGDm0uE DuL8SPb81rmzg2dYvVCV E0usHjgk
Malicious PDF (Provide – ASEC)

Right here under, we beget mentioned the URL:-

  • hxxps://fancli[.]com/21czb7

The hyperlink redirects to a URL with a blue download button. After downloading an encrypted file, users are redirected to a web page the set the decryption password is published.

tMrNe6jpTcCcHCa WsREysyAvm0u3 NSiEDn5gMe QQiDkwf7atbMD28lwqHMdyjmBYQ5JyjS3dp1RfWrMwwVfutWCpkQaaMUvsHA0GSc1AetnXRcWsy yfYh VQVTgmwtifzHhSP18zmDuVqEzwH94
Redirected web page (Provide – ASEC)

Right here under, we beget mentioned the redirected URL:-

  • hxxps://pimlm[.]com/c138f0d7e1c8a70876e510fcbb478805FEw1MBufh9gLOVv4erOokBCFouvPxBIEeH3DBT3gv3

After downloading, the web page prompts users to decompress the encrypted file with the password ‘1234.’ Upon decompression of ‘Setup.7z,’ users get hold of the executable file, “File.exe.”

Doc

Offer protection to Your Storage With SafeGuard

Is Your Storage & Backup Systems Fully Protected? – Watch 40-second Tour of SafeGuard

StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities right through hundreds of storage and backup gadgets.

Executing File.exe as administrator changes the registry and makes employ of browser login credentials to get IP and scheme files. After that, extra malware is downloaded to the designated scheme:-

  • C:Customers%USERNAME%Photos
  • C:Customers%USERNAME%PhotosMinor Policy

Right here under, we beget mentioned the contents of the downloaded malware:-

  • Ransomware
  • PUP
  • Infostealers
  • Droppers

Execution trek with the circulation

About a of the downloaded files had hidden and gadget properties scheme. The trek with the circulation begins from a PDF with a malicious URL, leading to the download and execution of varied malware types.

kK9lmo1uWt7FpOQLtqpRIsAgd9NW2F0LayU2DixqOSmWM8Qjjnipv7CbsA M6jNhM xG1IhHkpYyJHJaA
Malware distribution (Provide – ASEC)

The malicious file, “bus50.exe” from the next scheme is an SFX file containing a CAB file, and executing the SFX file creates malicious files within the ‘IXP000.TMP’ folder:-

  • hxxp://109.107.182[.]2/creep/bus50.exe

SFX files that advance after one another impress directories that non-public increasingly files, totaling-

  • 6 SFX files
  • 7 extra malware
yM7Wj3e6t0jFjs LKrMvwiIwiZNHcH8dbNy5D7Mym8cJHxwoJW00SrSzkCx2BZ9lSlU1uZm6ntoyxaTKH4sQ6I sZWi03g
Execution trek with the circulation (Provide – ASEC)

As a recommendation, researchers suggested to handbook clear of downloading cracks and illegal programs and no longer most productive that, even right during the execution of files, guarantee to exercise solid warning.

IOC

Hash (MD5)

  • d97fbf9d6dd509c78308731b0e57875a (PDF)
  • 9ce00f95fb670723dd104c417f486f81 (File.exe)
  • 3837ff5bfbee187415c131cdbf97326b (SFX)
  • 7e88670e893f284a13a2d88af7295317 (RedLine)

In finding URLs

  • hxxps://vk[.]com/doc493219498_672808805?hash=WbT8ERQ6JqZtcpYqYQ1dqT20VUT6H55UBeZPohjBEcL&dl=OZT9YtCLo5wh0Asz409V6q2waoA5QzfpbHWRNw1XuN4&api=1&no_preview=1
  • hxxp://171.22.28[.]226/download/Companies.exe
  • hxxp://109.107.182[.]2/creep/bus50.exe
  • hxxp://albertwashington[.]icu/timeSync.exe
  • hxxps://experiment[.]pw/setup294.exe
  • hxxps://sun6-22.userapi[.]com/c909518/u493219498/docs/d15/e2be9421af16/crypted.bmp?extra=B1RdO-HpjVMqjnLdErJKOdzrctd5D25TIZ1ZrBNdsU03rpLayqZ7hZElCroMxCocAIAu5NtmHqMC_mi0SftWWlSiCt45Em-FJQwMgKimJjxdYqtQzgUWp3F9Fo0vrbdrH_15KJlju51Y3LM

Secures your storage & backup systems With StorageGuard – Watch a 40-second Video Tour.

Source credit : cybersecuritynews.com

Related Posts