Hackers leverage 22 year-old Office RCE bug in a malicious email campaign to spread Snake keylogger via Microsoft Word alongside PDFs.
The majority of malicious e-mail campaigns use Word documents to hide and spread malware, however, a recently discovered campaign uses a malicious PDF file in combination with a 22-year-old Office bug to spread the Snake Keylogger malware. A trusted IT partner should utilize and provide your company with a next-generation anti-virus to thwart such common attack methods.
The campaign—discovered by researchers at HP Wolf Security—aims to trick victims with via a PDF file purporting to have information about a remittance payment. Instead, it deploys info-stealing malware via an embedded Word document file.
“While Office formats remain popular, this campaign shows how attackers are also using weaponized PDF documents to infect systems,” HP Wolf Security researcher Patrick Schlapfer wrote in the post, which opined in the headline that “PDF Malware Is Not Yet Dead.”
Most attackers to date have preferred to package malware in Microsoft Office file formats, particularly Word and Excel, for the past decade, Schlapfer said. In the first quarter of 2022 alone, nearly half (45 percent) of malware stopped by HP Wolf Security used Office formats.
“The reasons are clear: users are familiar with these file types, the applications used to open them are ubiquitous, and they are suited to social engineering lures,” he wrote.
The new campaign does use PDF in the file lure, however, it later employs Microsoft Word to deliver the ultimate payload—the Snake Keylogger, researchers found. Snake Keylogger is a malware developed using .NET that first appeared in late 2020 and is aimed at stealing sensitive information from a victim’s device, including stored credentials, computer keystrokes, screenshots of the victim’s screen, and clipboard data, according to Fortinet.
The HPW Wolf Security team noted that the new PDF-based threat campaign involved not just a PDF but also “several tricks to evade detection, such as embedded malicious files, loaded remotely-hosted exploits and shellcode encryption,” Schlapfer wrote.
Attackers attempt to target victims with emails that include a PDF document named “REMMITANCE INVOICE.pdf” as an attachment. If someone opens the file, Adobe Reader prompts the user to open a .docx file.
“The attackers sneakily named the Word document “has been verified. However PDF, Jpeg, xlsx, .docx” to make it look as though the file name was part of the Adobe Reader prompt.”
The .docx file is stored as an EmbeddedFile object within the PDF, which opens the file in Microsoft Word if clicked on. If Protected View is disabled, Word downloads a Rich Text Format (.rtf) file from a web server, which is then run in the context of the open document.
Researchers unzipped the contents of the .rtf—which is an Office Open XML file—finding a URL hidden in the “document.xml.rels” file that is not a legitimate domain found in Office documents.
17-Year-Old Bug Exploited
The aforementioned URL leads to a redirect and then downloads an RTF document called “f_document_shp.doc. This document contained two “not well-formed” OLE objects that revealed shellcode exploiting CVE-2017-11882, which researchers said is an “over four-years-old” remote code execution vulnerability (RCE).
The bug that attackers leverage in the campaign is actually one that Microsoft patched more than four years ago–in 2017, to be exact—but actually had existed some 17 years before that, making it 22 years old now.
As the final act of the attack, researchers found shellcode stored in the “OLENativeStream” structure at the end of one of the OLE objects they examined. The code eventually decrypts a ciphertext that turns out to be more shellcode, which is then executed to lead to an executable called fresh.exe that loads the Snake Keylogger.
Cyber-attacks are on the rise, and we’re happy to help you attain the protection your business needs against attacks. Please contact us if you require IT assistance!