Most malware that is delivered as an email attachment is usually a Word (.docx) or Excel (.xlsx) file. Cybersecurity threat analysts have recently discovered that PDF attachments are now becoming more popular to distribute malware. Since many people have been trained to be suspicious of opening Word and Excel files, they are not as cautious about opening a PDF. But there’s a twist, the malware inside the PDF is still Word document.
This is how the PDF tricks the user who receives one of these phishing emails into loading the malware lurking inside.
- The user receives an email named “Remittance Invoice” with the infected PDF attached.
- The user opens the PDF and is asked to open a Word (.docx) file. This is uncommon so you should stop here if you haven’t already.
- The Word document is named “has been verified”. The pop-up message that asks the user to open the Word document says, “The file ‘has been verified’.” This leads the user to think it is safe to open. See image below.
- If macros are enabled, once the user opens the .docx file in Microsoft Word, it will automatically download another file in rich text format that has a command in its programming that directs it to go to the site where the hacker has the malware saved and download it.
- The current, most common version of the malware is called Snake Keylogger. It is a powerful information stealer, it is hard to detect, and is very good at stealing usernames and passwords and stealing and removing data.
Sources: Bleeping Computer, HP Wolf Security
May 24, 2022