Hackers are increasingly weaponizing PDF files to deliver malware and launch cyber attacks.
They exploit the full presence and trustworthiness of PDFs to trick victims into opening malicious files that may contain malicious links, embedded code, or vulnerabilities that allow remote code execution.
Security experts at Palo Alto Networks recently pointed out that hackers are active. Weaponization of PDF files To deliver new SnipBot malware.
Hackers are weaponizing PDF files.
SnipBot is a newly discovered variant of “Rom workMalware family identified in April 2024 by Palo Alto Networks’ Advanced Wildfire Sandbox.
This sophisticated threat is designated as “RomCom 5.0” and combines features
- Romcom 3.0
- PEAPOD (RomCom 4.0)
While SnipBot uses a multi-stage infection process that starts with a signed executable disguised as a “PDF”.
It uses anti-sandbox techniques such as “checking process names” and “registry entries”.
The malware uses “window message-based control flow obfuscation” and “encrypted strings” to avoid detection.
In addition, it downloads additional payloads such as a DLL that injects code into Explorer.exe through “COM hijacking”.
SnipBot’s core functionality includes ‘a backdoor (single.dll)’ that creates a ‘SnipMutex’ and allows threat actors to ‘execute commands’, ‘upload/download files,’ and ‘deploy additional modules’. enables.’
Initially, there is a conversation with the malware. Command and Control (C2) Servers using domains such as “xeontime[. ]com” and “drvmcprotect[. ]com.”
While earlier versions of the malware used different tactics like ‘fake Adobe font installers’ and ‘C2 domains’ like ilogicflow.[. ]com and webtimeapi[. ]com.
The ongoing sophistication of cyber threats is illustrated by the evolution of SnipBot.
As SnipBot, various evasion techniques, payload delivery methods, and post-infection capabilities compromise systems and exfiltrate sensitive data.
Analysis of SnipBot’s post-infection activity, tracked by Cortex XDR telemetry, revealed a sophisticated attack sequence lasting approximately four hours on April 4.
The attacker, using the command-line functionality of SnipBot’s main module (single.dll), first probed the network to identify the domain controller.
They then attempted to extract files from the victim’s Documents, Downloads, and OneDrive folders on the server at 91.92.250.[.]104.
The attacker used PuTTY Secure Copy client (renamed dsutil.exe) for data transfer and AD Explorer and WinRAR (renamed fsutil.exe) for file compression, e.g. Used tools.
Targeted file types included standard system files and unusual health-related formats (ZBF, DCM).
Although there were problems, as evidenced by attempts to kill the PuTTY process, the attacker continued to the end and installed “config-pdf.dll”, which was downloaded from xeontime.[. ]com, and searched for commands on ethernet.[. ]com.
The attack ended with an attempt to snapshot the natives. Active Directory From database and archive files to c:\essential.
This holistic approach, combining custom malware (SnipBot), out-of-life techniques, and targeted data extraction, suggests a potential shift from financial motivations to espionage, as threat actors. But the results of CERT-UA have noted.
Analyze any suspicious links using ANY.RUN’s new safe browsing tool: Try it for free.