Fake PDF Invoices spreading Snake KeyLogger
Good morning all,
If you are an individual who regularly receives and reviews invoices, please read the below carefully!
In our February security bulletin we alerted everyone to credential harvesting malware called Emotet that was being spread via infected Excel spreadsheets attached to emails . This week we have received multiple alerts of a similar malicious attachment being spread by a PDF attachment, most often posing as an invoice from a vendor. In some cases this email may actually come from an trusted address that will not be blocked by rudimentary spam filters.
What it Looks Like
A PDF attachment with the name “REMITTANCE INVOICE.pdf” is sent to a target. After opening the documents, Adobe Reader prompts the user to open a .docx file cleverly named “has been verified. However PDF, Jpeg, xlsx, .docx” to make it look as though the file name was part of the Adobe Reader prompt (see Figure 1, below).
Figure 1: An example of the Adobe Reader prompt a user would see when opening the infected PDF.Once the user opens the embedded .docx file. If Protected View is turned off, Windows then downloads a Rich Text (.rtf) file from a web server which is run inside the document. Connecting to this web server allows a series of other files to be pulled down to the target computer which will in turn allows the attackers to run arbitrary code and deliver a payload called fresh.exe. This executable runs it in a folder which will force it to start every time Windows boots. The executable is Snake Keylogger, a family of information-stealing malware that you can read more about here. Although we’ve seen Snake Keylogger in the past become a popular way to harvest credentials, this delivery method for it is novel and very sneaky.
What Can You Do?
At the very least, these very important measures should be taken:
Multi-factor authentication on every user account that has access to email
Ensuring domain security. (DMARC, DKIM, and SPF records)
A robust third-party email SPAM and phishing protection
Non-consumer grade Antivirus and Enhanced Threat Detection and Response (ETDR) software
Unfortunately, as we move forward in this landscape of cybercrime, built-in or consumer antivirus software and security tools will not be enough to protect you and your company from attacks like this. This is the bare minimum nowadays to ensure rudimentary security. We strongly recommend a full security stack of products and services that will protect you from multiple threats and attack vectors.
If you are self-managing your email, or if it is being managed by a webmaster or the company/individual who is maintaining your website, please ensure that these steps are being taken to protect you, your employees, and your business’ data. Not every breach ends at just credential harvesting: 70% of encryption attacks are started with a emails just like these. Additionally, if you are not subscribed to any of the Kaizen security stacks, or have questions about what security services you are receiving from us, I strongly recommend you give us a call as soon as possible.
What We are Doing
The measures noted above are good general recommendations to employ no matter the systems you run and are not specific to any of the solutions you receive from Netwurx. That being said, we take seriously the trust you have put in us, and we will continue to take every measure available to ensure the integrity and safety of your data and your customer’s data. We invest heavily in delivering the highly secure products, services, and 24/7 system monitoring that you’ve come to expect, and this investment extends to communications such as this email and software deployment which are meant to serve as another layer of defense against cybercrime and we do not take this matter lightly.
Conclusion
While Office formats remain popular, this campaign shows how attackers are also using weaponized PDF documents to infect systems. Embedding files, loading remotely-hosted exploits and encrypting shellcode are just three techniques attackers use to run malware under the radar. The exploited vulnerability in this campaign (CVE-2017-11882) is over four years old, yet continues being used, suggesting there are plenty of unpatched Windows devices still out there allowing this exploit to remain effective for attackers.
Stay Vigilant,
Ryan S. McKee | LinkedIn
Director of Operations