AhnLab SEcurity intelligence Center (ASEC) recently discovered the distribution of an infostealer disguised as the Adobe Reader installer. The threat actor is distributing the file as PDF, prompting users to download and run the file.
As shown in the Figure 1, the fake PDF file is written in Portuguese, and the message tells the users to download the Adobe Reader and install it. By telling the users that Adobe Reader is required to open the file, it prompts the user to download the malware and install it.
Upon clicking gray area shown in the Figure 1, users are redirected to the following message, and the malware gets downloaded.
hxxps://raw.githubusercontent[.]com/fefifojs/reader/main/Reader_Install_Setup.exe
The downloaded file takes the form of the Adobe Reader icon, and its name is set as Reader_Install_Setup.exe. By taking the disguise of the Adobe Reader installer, it prompts the user to run it.
The figure below shows the comprehensive flow of the attack, from disguising the malware as the PDF file to downloading and running it.
The execution process of the downloaded file can be divided into three phases.
- File creation
- DLL Hijacking & UAC Bypass
- Information Leak
1. File Creation
When the malicious file Reader_Install_Setup.exe is run, it performs the following activities.
[Reader_Install_Setup.exe]
1. Creates %TEMP%require.exe
2. %AppData%LocalMicrosoftWindowsAppsBluetoothDiagnosticUtil.dll
3. Runs msdt.exe
2. DLL Hijacking& UAC Bypass
Reader_Install_Setup.exe creates two malicious files and runs msdt.exe—a Windows system file—using the following command.
"C:WindowsSysWOW64msdt.exe" -path "C:WINDOWSdiagnoticsindexBluetoothDiagnostic.xml" -skip yes
The executed msdt.exe process performs the role of running sdiagnhost.exe as administrator.
[msdt.exe]
1. Performs recursive execution as administrator
2. Runs sdiagnhost.exe
sdiagnhost.exe loads malicious BluetoothDiagnosticUtil.dll.
[sdiagnhost.exe]
1. Loads malicious BluetoothDiagnosticUtil.dll (DLL Hijacking)
2. require.exe is executed by the malicious DLL module’s DllMain function
By default, the Windows system has the path “%AppData%LocalMicrosoftWindowsApps” registered as the PATH environment variable. As such, the malicious DLL file is loaded when the sdiagnhost.exe process loads BluetoothDiagnosticUtil.dll.
Through the process above, the threat actor can bypass user account control (UAC) via DLL hijacking.
Unlike normal DLL files, malicious BluetoothDiagnosticUtil.dll does not contain the export function and only possesses the DllMain function.
In the DllMain function, the malicious require.exe file created by Reader_Install_Setup.exe is executed.
3. Information Leak
The executed require.exe performs the following activities:
[require.exe]
1. Collects PC information and communicates with C2
– C2 URL: hxxps://blamefade.com[.]br/
2. Creates the following path and adds the path to Windows Defender exclusion
– Path: %AppData%RoamingChromeApplication
3. Creates files including chrome.exe at the created path and hides them
The created chrome.exe is a malicious file that is unrelated to the actual Google Chrome browser, and it disguises as the actual browser executable file by using the identical icon of the actual browser icon.
[chrome.exe]
1. Collects system information along with the user’s browser information and sends them to the C2 server
– C2 URL : hxxps://thinkforce.com[.]br/
Given the information above, users must take extra caution when interacting with files that prompt users to run malware by running the files downloaded from unofficial sources.
The V3 detection information and IOC are as follows:
[File Detection]
– Trojan/Win.Agent.C5594460 (2024.02.28.00)
– Infostealer/Win.Agent.C5594461 (2024.02.28.00)
– Trojan/Win.Agent.C5594846 (2024.02.28.00)
– Phishing/PDF.Agent (2024.02.24.00)
[Behavior Detection]
– Malware/MDP.Drop.M254 (2017.01.18.00)
[IOC Info]
[MD5]
84526c50bc14838ddd97657db7c760ca
0eebfc748bc887a6ef5bade20ef9ca6b
b24441f5249d173015dd0547d1654c6a
02b96e2079bbc151222bb5bd10a4be9d
[C&C]
hxxps://blamefade.com[.]br/
hxxps://thinkforce.com[.]br/
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Source: Original Post
“An interesting youtube video that may be related to the article above”