Adobe Reader Infostealer Spreads Through Email in Brazil

A recent email spam campaign is distributing infostealer malware disguised as an Adobe Reader Installer. The spam emails contain forged PDF documents prompting recipients to install Adobe Reader, which in turn triggers the downloading and installation of malware. This malicious activity primarily targets users in Portugal and Brazil, judging by the language used in the documents.

INFOSTEALER SPREADS IN FAKE ADOBE READER 

The recent attack campaign, identified by ASEC Intelligence Center, initiates with email spam containing a PDF attachment. The content of these messages is in Portuguese, indicating a specific targeting of Brazil and Portugal.

Within the PDF file, users encounter a pop-up prompt urging them to install Adobe Reader under the guise of document access necessity. It’s worth noting that modern web browsers are capable of handling PDFs efficiently regardless of complexity.

Upon following the document’s instructions, a file named Reader_Install_Setup.exe is downloaded. This file masquerades as a legitimate installation file for Adobe Reader, complete with a replicated icon, further complicating the deception. However, running the file, which is actually a loader, initiates the execution of the malware.

However, this process doesn’t occur immediately. The malware executes a series of actions to perform DLL hijacking and run the final payload with maximum privileges. Initially, it spawns an executable file and drops a DLL containing the actual payload, then initiates the msdt.exe process. Interestingly, msdt.exe is a legitimate Windows diagnostics tool that the malware leverages to invoke a subordinate service.

The command used to invoke MSDT, specifically its Bluetooth Diagnostic tool, is as follows:

C:\Windows\SysWOW64\msdt.exe” -path “C:\WINDOWS\diagnotics\index\BluetoothDiagnostic.xml” -skip yes

This service subsequently loads the malicious DLL mentioned earlier. This DLL, in turn, executes the aforementioned executable file, thereby legitimizing the infostealer and granting it maximum privileges.

While the malware employed in the campaign seems to be unique and not affiliated with any known malware families, its functionality is hardly unconventional. This infostealer follows a typical pattern: it collects basic system information, sends it to the command server, and creates a directory to store the gathered data.

Additionally, the malware adds this directory to the list of Microsoft Defender exclusions to avoid detection. Furthermore, it disguises itself by mimicking the legitimate Chrome folder, adding a fake executable file and other files typical of a genuine browser folder.

The C2 servers used by some of the samples confirm the attack targeting hypotheses mentioned earlier. Both hxxps://thinkforce.com[.]br/ and hxxps://blamefade.com[.]br/ receive AutoFill data from all browsers. Although this is less than what modern infostealers typically gather, it’s still significant, as browsers store almost all of our passwords.

Recommendation

To protect against infostealer malware, follow these essential security practices:

1. Keep Software Updated: Ensure all software, including operating systems, browsers, and security applications, are regularly updated with the latest patches and security fixes to address known vulnerabilities.
2. Use Reliable Security Software: Install reputable antivirus and anti-malware software on all devices and keep them up-to-date to detect and prevent infostealer infections.
3. Exercise Caution with Email Attachments: Be cautious when opening email attachments, especially from unknown or suspicious senders. Verify the legitimacy of attachments before downloading or opening them.
4. Avoid Clicking on Suspicious Links: Refrain from clicking on links in emails, messages, or websites from untrusted sources. Hover over links to verify their destination URLs before clicking.
5. Implement Strong Passwords: Use strong, unique passwords for all accounts and enable two-factor authentication (2FA) wherever possible to add an extra layer of security.
6. Educate Users: Educate users about the risks of downloading files from unknown sources, clicking on suspicious links, and sharing sensitive information online.
7. Enable Firewall Protection: Activate firewalls on all devices to monitor and block unauthorized network traffic, preventing malicious programs from accessing your system.
8. Regularly Back Up Data: Regularly back up important files and data to an external storage device or cloud service. In the event of a malware infection, you can restore your data without paying ransomware demands.
9. Implement Web Filtering: Use web filtering tools or services to block access to malicious websites and prevent users from inadvertently downloading malware.
10. Stay Informed: Stay updated on the latest cybersecurity threats and trends by monitoring reputable security blogs, forums, and news sources.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!