Security researchers with HP reported a recent campaign that delivered malware in a unique way to evade email security filters. The campaign used email to deliver PDF files that embedded a Microsoft Word document, which is unusual by itself. Adobe Acrobat Reader and most other PDF viewing programs display a warning prompt before opening embedded files, but the threat actor used a trick in naming the embedded Word file to make it seem like it might be more trustworthy:
By naming the malicious file “has been verified. However PDF, Jpeg, XLS, .docx” the message of the warning prompt could potentially be misinterpreted by the person opening the file to mean that the embedded file has been verified by the PDF reader.
If the person opening the PDF is tricked into clicking the OK button, Microsoft Word will open the document file. That file uses another trick, a remote object using Object Linking and Embedding (OLE) referencing a remote URL that uses the “vtaurl[.]com” link shortener service. The OLE object it downloads is a Rich Text Format (RTF) document using a “.doc” file extension. RTF files are opened by Microsoft Word by default and can also be used to deliver malware.
The RTF file uses more tricks to disguise its final payload – it exploits an old and well-known vulnerability in the Microsoft Equation Editor that has continued to plague users of older Microsoft Office suite versions that have not been patched. The shellcode is encrypted, and when it decrypts itself and runs, it downloads the final payload, an EXE file, from a URL using a hard-coded IP address (188.8.131.52). The EXE contains Snake Keylogger malware, which steals passwords and other sensitive data typed on the keyboard and sends the stolen data via email to mail[.]saadzakhary[.]com.