Recently, eSentire TRU (Threat Response Unit) reported that since November 2022, it had observed the resurrection of a malicious campaign that Hackers Attack on targets explicitly the following organizations:-
- Manufacturing
- Commercial
- Healthcare
While cybersecurity researchers acknowledge that the campaign is being carried out by threat actors who are native Russian speakers.
In this analysis, experts mainly focus on four separate instances where Bluesteel, a machine-learning tool for PowerShell of eSentire, identified harmful commands executing a script from a domain under the control of an attacker.
Weaponized PDF Files as Initial Vector
Here the phishing email has been identified as the initial infection vector.
To distribute the malicious payload, the Hackers attack are actively adopting email hijacking, and via PDF attachments, they deliver the malicious payload.
To deceive users into thinking the domain is genuine, the attackers include the sender domain within the Vesta Control Panel.
The user is redirected to saprefx[.]com domain via a link to the domain embedded with the PDF attachment.
The behavior of the domain changes depending on the user’s location.
Here we have mentioned the two options available:-
- Users will either be redirected to the final domain with the JavaScript payload.
Or
Generally, the compromised WordPress websites are the hosting platform for the JavaScript payload.
By utilizing the InstallProduct method, the malicious script downloads and executes the MSI file, and all this occurs when the user opens the JavaScript attachment.
Using the C drive’s serial number as a parameter, the VBS file establishes a connection to the C2 server.
It subsequently fetches the Windows Installer product and stealthily launches it in the background without the user’s knowledge.
Several tools and scripts are included inside the MSI files, and they are mainly tailored to capture screenshots of the computer when it was infected.
This process is executed through the implementation of an AutoHotKey script. And here below, we have mentioned the tools that are observed:-
- AutoIt
- Python scripts
- i_view32.exe
Hackers Use Weaponized PDF Files to Attack
In the early stages of the campaign, security analysts observed the threat actors dropping:-
- Backdoor
- Cobalt Strike payload
- Python script
The previously mentioned malicious PowerShell command fetches and executes the PowerShell script, which is located at:-
The PowerShell script utilizes LoadLibraryA to load kernel32.dll and crypt32.dll.
Then to convert the base64 string into a binary format, it employs the CryptStringToBinaryA function from crypt32.dll.
Using CreateToolhelp32Snapshot, the Cobalt Strike loader, acting as the malicious payload, examines the “powershell.exe” process.
The threat actors introduced their personally developed backdoor tool called “resident2.exe” in the second incident, and this tool is a 32-bit executable written in C programming language.
The threat actors involved in the third incident kickstart their intrusion by manipulating wscript.exe to launch the malicious JavaScript file.
In the last instance of the attack, the threat actors first employed au3.exe, which then generated a chain of additional malicious executables.
Here below, we have mentioned the files that the threat actors drop:-
- Terminal App Service.vbs (C:\ProgramData\Cis)
- app.js (C:\ProgramData\Dored) – similar to the previous case
- au3.exe (C:\ProgramData\2020)
- au3.ahk (C:\ProgramData\2020)
- index.js (C:\ProgramData\Dored) – screenshot sender script, similar to the 3rd incident
- i_view32.exe (C:\ProgramData\Dored)
- skev.jpg – screenshot image (C:\ProgramData\Dored)
- hcmd.exe (AppData\Roaming\hcmd\hcmd.exe)
- index.js (AppData\Roaming\hcmd)
- hcmd.exe (AppData\Roaming\hcmd)
Recommendations
Here below, we have mentioned all the recommendations offered by the security researchers:-
- Validate that every device has the necessary EDR solutions implemented for enhanced protection.
- Make use of PSAT to provide your employees with proper education on the risks involved with commodity stealers and drive-by downloads.
- Ensure there are established protocols for employees to follow when submitting content that may be deemed malicious for proper assessment.
- Use Windows Attack Surface Reduction rules to block the execution of downloaded content initiated by JavaScript and VBScript.
Source: https://cybersecuritynews.com/hackers-use-weaponized-pdf-files-to-attack-organizations/