Snake Keylogger distributed using malicious PDF files

Cybersecurity researchers reveal the new way hackers manage to spread malware around

Malicious PDF files attached to deceptive emails deliver the information stealer malware

A new cybercrime campaign reveals that hackers leverage PDF files and try to distribute Snake Keylogger onto vulnerable systems.^[1] Hackers deliver emails with the subject like “Remittance Invoice” or the PDF file with this name and try to trick people into thinking they will get paid for something.^[2] This way people fall for the scam tricks and one the message with the attached malicious file.

The email message has the PDF file as the attachment, and this way, people think the message is legitimate. Word or Excel files are typically included in scam messages and ransomware-delivering emails, so they can be suspicious.^[3] This campaign also relies on the 22-year-old Office bug that, once exploited, allows the Snake Keylogger malware deployment.

HP Wolf Security researchers discovered the campaign and reports^[4] that the malware-laced file uses the detection evasion method and avoid alerts about the dangerous content, so the information-stealing malware can be delivered since the attached PDF file gets downloaded and opened.

Embedding malicious files

The unusual infection chain was discovered by the researchers and they noticed that the malware arrived in a PDF document. This format is rarely used by attackers who distribute malware on machines and networks. These campaigns also rely on particular methods that allow the file with malicious purposes remains undetected. These methods include embedded malicious files, loading remotely-hosted exploits, and shellcode encryption.

Even another type of attachment can be embedded within the PDF, and once the victim opens such an attachment the prompt asking to open the second file appears. The message on the screen can claim the verification of this file that should appear on the screen.

Unfortunately, all these JPEG, Docx, xlsx, and PDF files can contain macro viruses, or trigger the drop of the direct malicious program. These claims and hidden features trick people into believing that the PDF reader has scanned the file and checked for the possible malicious or unknown files and malware.

Two-decades-old flaw abuse

It is expected that Word or Excel files come with macro viruses, and once those are enabled, the rich text format file can be delivered from a remote location, so the malicious processes get launched. This is where the file tries to drop the payload of this Snake Keylogger on the machine. This virus is a modular information stealer that can be especially persistent and avoid detection.

These threats like Snake Keylogger can be used to access credentials, harvest them or other data from the machine, and exfiltrate any other information from the machine or network. Particularly targeted endpoints need to be, however, vulnerable to the particular flaw. Researchers discovered that the attack is successful when the CVE-2017-11882 flaw can be leveraged.^[5]

This remote code execution bug resided in Equation Editor and was patched back in 2017, but device administrators might still keep their machines unpatched to this day. The flaw existed since 2000, however, so these campaigns with Snake Keylogger leverage the 22-year-old bug. This vulnerability was one of the most popular and widely exploited in 2018 since these patches were implemented slowly, and attackers took advantage of that.