A few weeks on from Microsoft warning Windows users that PDF attachments are increasingly being used in attacks, there’s another warning and a new lure. While the Windows-maker’s alert for PC users came ahead of tax day in the U.S., the new attack is less time critical and has a nasty trick in how it masks its malicious intent.
Microsoft’s tax day warning called out “PDF attachments with an embedded DoubleClick URL that redirected users to a Rebrandly URL shortening link. That link in turn redirected the browser to a landing site that displayed a fake DocuSign page hosted on a domain masquerading as DocuSign.”
When users clicked to download, “the outcome depended on whether their system and IP address were allowed to access the next stage based on filtering rules set up by the threat actor.” This was a clever form of obfuscation to make it more difficult for security researchers to replicate the attack and craft a fix.
Now, the team at TrustWave SpiderLabs warn “we’ve spotted a campaign delivering RemcosRAT, using a fake payment SWIFT copy to lure victims. The attached PDF links to an obfuscated JavaScript file that uses ActiveXObject to fetch a second-stage script. This script invokes PowerShell to download and decode an image hosted on archive.org, which appears harmless but conceals the Remcos payload using steganography.”
Again, obfuscation here is key. The latest trickery in malicious PDFs is to hide links behind QR codes or to compile PDFs without the usual URL tag, making it harder to a security scan to pick up the treat. Steganography takes this to a new level, hiding the link in an image, and making it all but impossible for a user to detect.
As Kaspersky explains, “steganography is the practice of concealing information within another message or physical object to avoid detection. Steganography can be used to hide virtually any type of digital content, including text, image, video, or audio content. That hidden data is then extracted at its destination. Content concealed through steganography is sometimes encrypted before being hidden within another file format. If it isn’t encrypted, then it may be processed in some way to make it harder to detect.”
According to Cybersecurity News, the new attack “begins with a phishing email that attaches a PDF file contains a malicious link, specifically pointing to malicious webpage: https://huadongarmouredcable.com/pdf/default.php… luring victims into a multi-stage infection process designed to deliver RemcosRAT, a malware known for its ability to remotely control infected systems.”
RemcosRAT is a nasty trojan you don’t want anywhere near your PC. But the warning is not really that specific. PDFs are highlighted as a new favorite for cyber attacks, given user wariness as regards Office documents. The feeling amongst users seems to be that PDFs are more benign and therefore safer. Unfortunately, that’s not the case.
As for what to look for here. An email headed “SWIFT Copy” that purports to confirm a bank transfer with an attacked receipt. While for most this lure is typical of the raft of latest threats, these campaigns are hitting plenty of marks. That’s why they proliferate.
Delete on sight.