Tag Archive for: PDFs

Beware of encrypted PDFs as the latest trick to deliver malware to you

/in


Russian-backed hackers are using malware disguised as a PDF encryption tool to steal your information. According to the Threat Analysis Group report, COLDRIVER will send victims encrypted PDFs. When the unsuspecting victim replies saying they can’t see the PDF, the group will send a download link that poses as an encryption tool. But it’s really malware.

According to Threat Analysis Group (TAG), which is a specialized team within Google that focuses on identifying and countering various security threats, COLDRIVER primarily deals with phishing attacks. So this new malware-based attack is relatively new territory for the group.

 

COLDRIVER’s backdoor malware attack

The attack itself is pretty simple. As previously mentioned, attackers will send an encrypted PDF and then a malware-loaded “encryption tool” once the victims respond. That “encryption tool” will even display a fake PDF document to really sell the ruse. However, it’s really backdooring a piece of malware called Spica into your device.

Spica will steal cookies from Google Chrome, FireFox, Edge and Opera in order to get your information. Google says it’s been in play since September 2023. However, there are instances of COLDRIVER dating back to 2022.

Google says it’s added all domains, websites and files involved in the attacks to its Safe Browsing service. The company has also notified targeted users that they were at risk of an attack.

MORE: HOW CRYPTO IMPOSTERS ARE USING CALENDLY TO INFECT MACS WITH MALWARE 

 

How to protect yourself

1) Don’t download bootleg software: It’s not worth the risk to download bootleg software. It exposes your device to potential security threats, such as viruses and spyware.  If someone emails you a link for a download, make sure it’s from a reputable source and scan it. Downloading software from reputable app stores is definitely the way to go to protect your devices.

2) Don’t click on suspicious links or files: If you encounter a link that looks suspicious, misspelled, or unfamiliar, avoid clicking on it. Instead, consider going directly to the company’s website by manually typing in the web address or searching for it in a trusted search engine….

Source…

How To Safely Open Suspicious PDFs

/in



monticello/Shutterstock (Licensed)

Y0ur P@ssw0rd S*cks is a bi-weekly column that answers the most pressing internet security questions web_crawlr readers have to make sure they can navigate the ‘net safely. If you want to get this column a day before we publish it, subscribe to web_crawlr, where you’ll get the daily scoop of internet culture delivered straight to your inbox.

In today’s “Your Password Sucks” column for web_crawlr, Mikael answers a question you’ve likely had: What do I do with a suspicious PDF?

You’ve undoubtedly opened a PDF file before.

Given its status as the world’s most popular business document format, you’ve almost certainly dealt with PDF files at work if not at home.

But as you may be aware, PDF files can at times pose a risk. Specifically, PDFs can be used to infect your computer with malware.

If you’ve ever gotten a mysterious email before from an unknown sender that asks you to download and open a PDF, it’s entirely possible that you’ve been targeted, perhaps randomly, by such an attack.

While most internet users are familiar with antivirus software and other common tools, not as many are familiar with the potential dangers posed by PDFs.

So what do you do if you receive a suspicious PDF? Just open it? Ignore it?

If you receive a suspicious file at work, it’s probably best to alert a superior to confirm the item’s legitimacy before opening it. But the whole point of a malicious PDF, whether sent to your email at work or your personal email at home, is to trick you into opening it.

How do I safely open a suspicious PDF?

One of the simplest ways to safely open a PDF, in my humble opinion, is through the use of a tool known as Dangerzone.

Available for Windows, Mac, and Linux, Dangerzone is a completely free program that will sanitize a wide array of files including PDFs, Microsoft Office documents, and images.

Simply open Dangerzone and select your file and the program will open it in a secure container, usually through the use of a third-party program like Docker. Then, Dangerzone will make you a new copy of the file that strips away any embedded items and data.

As noted on Dangerzone’s…

Source…

Russian Group Delivering Malware Via Using PDFS: Google

/in


SAN FRANCISCO, CA (IANS) – Google researchers have observed that the notorious Russian threat group — COLDRIVER, focused on credential phishing activities, has now gone beyond it by delivering “malware via campaigns using PDFs as lure documents”.

Also known as ‘UNC4057’, ‘Star Blizzard’ and ‘Callisto’ has focused on credential phishing against Ukraine, NATO countries, academic institutions, and NGOs.

To gain the trust of targets, the group often utilizes impersonation accounts, pretending to be an expert in a particular field or somehow affiliated with the target.

According to new research by Google’s Threat Analysis Group (TAG), Coldriver has increased its activity in recent months and is now using new tactics that can cause more disruption to its victims.

“As far back as November 2022, TAG has observed Coldriver sending targets benign PDF documents from impersonation accounts,” Google said in a blogpost on January 18.

The threat group presents these documents as a new op-ed or other type of article that the impersonation account is looking to publish, asking for feedback from the target. When the user opens the benign PDF, the text appears encrypted, the researchers explained.

If the target responds that they cannot read the encrypted document, the Coldriver impersonation account responds with a link, usually hosted on a cloud storage site, to a “decryption” utility for the target to use.

“This decryption utility, while also displaying a decoy document, is in fact a backdoor, tracked as SPICA, giving Coldriver access to the victim’s machine,” the researchers said.

In 2015 and 2016, TAG observed Coldriver using the Scout implant that was leaked during the Hacking Team incident of July 2015.

SPICA represents the first custom malware that the TAG researchers attribute to being developed and used by Coldriver

The researchers have observed SPICA being used as early as September 2023, but believe that Coldriver’s use of the backdoor goes back to at least November 2022.

Source…

Hackers Set Up 100,000 Websites Delivering Malware Via Malicious PDFs

/in


Researchers have found thousands of malicious web pages existing online that constitute a serious malware campaign. As observed, the hackers have set up 100,000+ of such websites delivering malware to the target users via malicious PDFs.

100,000 Websites Delivering Malware Via PDFs

Security researchers from cybersecurity firm eSentire have recently shared details of a new malware campaign in the wild.

Specifically, they have found over 100,000 different websites hosting malicious PDFs for delivering malware to the users. These websites basically aim at enterprise customers as they host PDFs related to business activities, such as templates, questionnaires, invoices, or receipts. The malicious websites also use these terms as keywords to bag higher ranking on SERPs.

How The Attack Works

In brief, the attack begins when a user lands at one of the malicious websites while searching for such documents. Upon clicking on the download option to get the PDF, the site redirects the user to another malicious web page. The latter then delivers a malicious executable disguised as a document file (PDF or Word) to the user.

This executable installs a RAT, identified as SolarMarker to the target device, bundled with the legit Slim PDF reader app, possibly, to bluff the target user.

SolarMarker RAT isn’t a new malware. Rather it had appeared numerous times in earlier campaigns as well, yet, with different names, such as Jupyter, Yellow Cockatoo, and Polazert.

Once established on the target device, the malware can then execute a variety of activities. As the researchers described in their post,

Once the RAT is on the victim’s computer and activated, the threat actors can send commands and upload additional malware to the infected system, such as ransomware, a credential stealer, a banking trojan, or simply use the RAT as a foothold into the victim’s network.

Detailed technical analysis of the malware campaign is present in the researchers’ post.

In an earlier campaign, Jupyter behaved as an info-stealer as well as a backdoor that could download other malware too.

Source…