Snake Keylogger Slithers Onto PCs With Malicious Word Docs In Sinister Malware Campaign

snake word
It seems that every day a new malware threat rears its ugly head. Every once in a while though, the new threat is a version of an old threat. For example, PDFs as a method of malware delivery.

That's what researchers at HP Wolf Security have recently found. A less common, but seemingly effective method of malware infection takes advantage of a number of tricks and tools to bypass detection both by detection software, and human interaction.

According to the report, the victim would receive an e-mail with a subject line of "Remittance Invoice," which likely would look like it could be an invoice. The PDF format is often used for invoices, quotes, and other business interactions and files due to it's perceived increased security. Unfortunately in this case, the file is less than secure.

faux file prompt
PDF File Open Prompt with Phony File Name being opened.

This file is less secure because it houses a hidden Microsoft Office document, typically a Word DOCX file. The embedded file has the name "has been verified." When the user sees the prompt of Adobe PDF attempting to open the file the dialogue reads ,"The file 'has been verified'." as the first statement in the prompt, which the attacker hopes that the victim will just allow the system to bypass. Unfortunately, a bit of simple trickery which happens to work all too well on many users.

Once the Word document is opened, and if macros are enabled, the Word document will then download and open an RTF (rich text format) file from a remote location and open it. The document, named "f_document_shp.doc" when opened this document attempts to exploit an old OLE vulnerability with the identifier CVE-2017-11882 that has actually long since been patched by Microsoft. That vulnerability allowed for arbitrary code execution, effectively allowing anyone who used it to run whatever code they wanted on infected systems. In this case, the snake keylogger usually gets installed, a way for the attacker to store keystrokes in order to store data.
faux word doc
Faux Word Document Used to Download Malware
As with any malware threat, becoming infected can be rather serious. However, this particular threat has some pretty low chances of infection overall. In February Microsoft started rolling out updates to newer versions of Office that prevents macros from being loaded automatically without prompt. The security flaw that this end result exploits is already patched. So in order to actually become infected the user would need to be on an unpatched system, unwitting or unwary, open the PDF, allow the PDF to run, and bypass the macro prevention. Quite a lot of variables there, but, this malware was detected by HP Wolf this year, so it doesn't mean it can't happen.

The best practices to protect yourself in this case are pretty simple. Be wary of any attachments, make sure your systems are up to date, make sure your software is up to date, and make sure your anti-malware or anti-virus software is up to date. Pretty straightforward, really.