Threat actors have been leveraging malicious PDF attachments to facilitate the distribution of the Snake Keylogger malware, according to BleepingComputer.
The malware campaign commences with the delivery of an email with a PDF file dubbed "Remittance Invoice," which when opened will trigger Adobe Reader to open an attached DOCX file, an HP Wolf Security report showed. With the document named by attackers as "has been verified," recipients may be deceived into believing that the file has been marked as safe by Adobe. Meanwhile, opening the DOCX in Microsoft Word may prompt the download and opening of an RTF file dubbed "f_document_shp.doc" in the event of enabled macros.
Researchers discovered malformed OLE objects embedded in the RTF document in an effort to bypass detection and analysis. Moreover, the shellcode deployed by the document also exploits a remote code execution vulnerability in Equation Editor, tracked as CVE-2017-11882, to facilitate arbitrary code execution.
Aside from spearheading the first-ever ransomware-as-a-service operation Reveton along with co-conspirators also charged in the U.S. in 2011, Silnikau also led the Angler exploit kit, which had been leveraged in malvertising campaigns against U.S.-based firms.
Attacks commenced with the delivery of malicious emails purportedly from the SSU that sought the submission of certain required documents and included hyperlinks to a Documents.zip archive, which when clicked would trigger an MSI file that would facilitate malware installation.
Malvertising exploiting Google search results has been leveraged to lure victims into downloading fraudulent software installers, including YouTube downloader, Roblox FPS Unlocker, and VLC video player.