New Keylogger is Transmitted Through PDFs
Table of Contents
- By Patrick Ryan
- May 24, 2022
A keylogger is infecting computers through harmful PDF files. The snake keylogger centers on an email campaign that sends PDF files and other files from Microsoft Word programs. The keylogger takes advantage of an RCE bug within Office that is more than two decades old.
What is the new Malware all About?
Researchers have determined the keylogger primarily relies on PDF files to transmit the malware. The bug in Office, as noted above, further spreads the keylogger malware throughout the target system. The keylogger was identified by digital security specialists at HP Wolf Security. The aim of the campaign is to fool targets by getting them to click PDF files attached to messages. Those messages allegedly contained payments though they actually conceal malware that steals targets’ information while using tactics for evasion to sidestep potential identification.
Why is the Attack Important?
This attack is unique and meaningful for several reasons. For one, the attack exploits a bug within Office that is 20+ years old. Add in the fact that the technique uses PDF documents to steal information, and it is even more intriguing, albeit disturbing at the same time. The attack comes at a time when some in the digital security industry insisted the use of PDFs to spread malware was a dated strategy.
The attack culminates in the snake keylogger attack, first developed with .NET in 2020. The snake keylogger is designed to steal valuable information from a computing device. In particular, the keylogger zeroes in on stored credentials for logging into systems, keystrokes on keyboards, data saved to clipboards, and even screen captures of victims’ screens. You can do your part to upgrade your computer and network defenses by adding to your digital security protections today.
How Was the PDF Threat Identified?
The digital security specialists referenced above found a threat based on PDFs in the final week of March of 2022. The campaign included an odd infection chain with a PDF and tricks that helped bypass detection. For example, digital security professionals noticed that PDFs have shellcode encryption, remote hosted exploits and embedded malicious files. The attack uses emails containing the PDF document with the word “remittance” intentionally misspelled and added to the message as an attachment. The PDF includes a .docx file as an EmbeddedFile object that triggers Word to open after being clicked.
How Was the Outdated Bug Exploited?
The attack also includes exploiting a bug that is almost two decades old. Connecting to the attack’s URL causes a redirect and the downloading of an RTF file. The file has objects with shellcode along with remote code execution vulnerability. Microsoft supposedly addressed the bug nearly half a decade ago.
It turns out the bug was in existence nearly 20 years before that point in time, meaning the bug in question is now 22+ years old. The attack ended with shellcode within the OLE objects’ OLENativeStream structure, which decrypts text to trigger additional shellcode execution and the loading of the keylogger.