Snake Keylogger Slithers Onto PCs With Malicious Word Docs In Sinister Malware Campaign
It seems that every day a new malware threat rears its ugly head. Every once in a while though, the new threat is a version of an old threat. For example, PDFs as a method of malware delivery.
That's what researchers at HP Wolf Security have recently found. A less common, but seemingly effective method of malware infection takes advantage of a number of tricks and tools to bypass detection both by detection software, and human interaction.
According to the report, the victim would receive an e-mail with a subject line of "Remittance Invoice," which likely would look like it could be an invoice. The PDF format is often used for invoices, quotes, and other business interactions and files due to it's perceived increased security. Unfortunately in this case, the file is less than secure.
Once the Word document is opened, and if macros are enabled, the Word document will then download and open an RTF (rich text format) file from a remote location and open it. The document, named "f_document_shp.doc" when opened this document attempts to exploit an old OLE vulnerability with the identifier CVE-2017-11882 that has actually long since been patched by Microsoft. That vulnerability allowed for arbitrary code execution, effectively allowing anyone who used it to run whatever code they wanted on infected systems. In this case, the snake keylogger usually gets installed, a way for the attacker to store keystrokes in order to store data.
prevents macros from being loaded automatically without prompt. The security flaw that this end result exploits is already patched. So in order to actually become infected the user would need to be on an unpatched system, unwitting or unwary, open the PDF, allow the PDF to run, and bypass the macro prevention. Quite a lot of variables there, but, this malware was detected by HP Wolf this year, so it doesn't mean it can't happen.
The best practices to protect yourself in this case are pretty simple. Be wary of any attachments, make sure your systems are up to date, make sure your software is up to date, and make sure your anti-malware or anti-virus software is up to date. Pretty straightforward, really.