Snake Keylogger Spreads Through Malicious PDFs

Microsoft Word also leveraged in the email campaign, which uses a 22-year-old Office RCE bug.

While most malicious e-mail campaigns use Word documents to hide and spread malware, a recently discovered campaign uses a malicious PDF file and a 22-year-old Office bug to propagate the Snake Keylogger malware, researchers have found.

The campaign—discovered by researchers at HP Wolf Security—aims to dupe victims with an attached PDF file purporting to have information about a remittance payment, according to a blog post published Friday. Instead, it loads the info-stealing malware, using some tricky evasion tactics to avoid detection.

“While Office formats remain popular, this campaign shows how attackers are also using weaponized PDF documents to infect systems,” HP Wolf Security researcher Patrick Schlapfer wrote in the post, which opined in the headline that “PDF Malware Is Not Yet Dead.”
Infosec Insiders NewsletterIndeed, attackers using malicious email campaigns have preferred to package malware in Microsoft Office file formats, particularly Word and Excel, for the past decade, Schlapfer said. In the first quarter of 2022 alone, nearly half (45 percent) of malware stopped by HP Wolf Security used Office formats, according to researchers.

“The reasons are clear: users are familiar with these file types, the applications used to open them are ubiquitous, and they are suited to social engineering lures,” he wrote.

Still, while the new campaign does use PDF in the file lure, it later employs Microsoft Word to deliver the ultimate payload—the Snake Keylogger, researchers found. Snake Keylogger is a malware developed using .NET that first appeared in late 2020 and is aimed at stealing sensitive information from a victim’s device, including saved credentials, the victim’s keystrokes, screenshots of the victim’s screen, and clipboard data, according to Fortinet.

‘Unusual’ Campaign

The HPW Wolf Security team noticed a new PDF-based threat campaign on March 23 with an “unusual infection chain,” involving not just a PDF but also “several tricks to evade detection, such as embedding malicious files, loading remotely-hosted exploits and shellcode encryption,” Schlapfer wrote.

Attackers target victims with emails that include a PDF document named “REMMITANCE INVOICE.pdf”—misspelling intended–as attachment. If someone opens the file, Adobe Reader prompts the user to open a .docx file with a rather curious name, researchers found.

“The attackers sneakily named the Word document “has been verified. However PDF, Jpeg, xlsx, .docx” to make it look as though the file name was part of the Adobe Reader prompt,” according to the post.

The.docx file is stored as an EmbeddedFile object within the PDF, which opens Microsoft Word if clicked on, researchers found. If Protected View is disabled, Word downloads a Rich Text Format (.rtf) file from a web server, which then is run in the context of the open document.

Researchers unzipped the contents of the .rtf—which is an Office Open XML file—finding a URL hidden in the “document.xml.relsfile that is not a legitimate domain found in Office documents, they said.

17-Year-Old Bug Exploited

Connecting to this URL leads to a redirect and then downloads an RTF document called “f_document_shp.doc. This document contained two “not well-formed” OLE objects that revealed shellcode exploiting  CVE-2017-11882, which researchers said is an “over four-years-old” remote code execution vulnerability (RCE) in Equation Editor.

Equation Editor is app installed by default with the Office suite that’s used to insert and edit complex equations as Object Linking and Embedding (OLE) items in Microsoft Word documents.

It turns out, however, that the bug that attackers leverage in the campaign is actually one that Microsoft patched more than four years ago–in 2017, to be exact—but actually had existed some 17 years before that, making it 22 years old now.

As the final act of the attack, researchers found shellcode stored in the “OLENativeStreamstructure at the end of one of the OLE objects they examined. The code eventually decrypts a ciphertext that turns out to be more shellcode, which is then executed after to lead to an executable called fresh.exe that loads the Snake Keylogger, researchers found.

Suggested articles

Cybersecurity for your growing business
Cybersecurity for your growing business