Cybercriminals weaponise PDF files

Read time 3min 10sec
Attackers weaponise PDFs.
Attackers weaponise PDFs.

A notorious criminal group called TA505 has debuted a widespread spam campaign aimed at infecting victims with the FlawedAmmyy remote access trojan (RAT).

The campaign is also employing a new technique, and is weaponising PDF files by embedding malicious .SettingContent-ms files inside them.

The FlawedAmmyy RAT has been deployed since at least the beginning of 2016, and the authors behind it have used it in both highly targeted and large, indiscriminate campaigns.

A foot in the door

According to SpecterOps, a provider of adversary-focused cybersecurity solutions, for cybercriminals getting a foot in the door is a major challenge against a secure target.

When choosing a payload for the initial access, the threat actor needs to choose a file format that permits arbitrary code execution or shell command execution with minimal user intervention. There aren't that many file formats of this nature, so cybercriminals have leaned on file types such as .HTAs, Office macros, .VBS, .JS, etc.

"There are obviously a finite number of built-in file extensions on Windows, and as defences improve, the number of effective payloads continues to shrink," says SpecterOps.

The .SettingContent-ms file format is a special 'shortcut' file that opens Microsoft's new Windows Settings panel that it introduced with the release of Windows 8 and that is featured primarily in Windows 10 over the old Control Panel system.

These files can be used to bypass certain Windows 10 defences such as At-tack Surface Reduction and detection of OLE-embedded dangerous file for-mats, and the format currently allows execution of commands such as cmd.exe and PowerShell without prompts or user interaction, the company said.

Dodgy PDF attachments

Since the original publication of this approach, researchers from security company Proofpoint witnessed a variety of attackers, or the 'early adopters', abusing this file format by embedding it inside Microsoft Word documents. However, they also saw it being embedded in PDF documents, which had not yet been seen.

Proofpoint said it first observed this on 18 June this year, and by July 16, it noticed an especially large campaign with hundreds of thousands of messages attempting to deliver PDF attachments with an embedded SettingContent-ms file.

When opened, Adobe Reader displays a warning prompt, asking the individual whether they want to open the file, and if opened, the .SettingContent-ms file launches PowerShell to download and execute the FlawedAmmyy RAT payload.

Early adopters

According to endpoint protection company Barkly, the TA505 group operates at a huge scale and sets trends among financially motivated actors because of their reach and campaign volumes. "Our attribution is based on email messages, as well as payload and other identifying characteristics," says Barkly.

Barkly adds that well-established criminal groups and newcomers alike are quick to adopt new techniques and approaches when malware authors and researchers publish new proofs of concept.

"While not all new approaches gain traction, some may become regular ele-ments through which threat actors rotate as they seek new means of distributing malware or stealing credentials for financial gain. In this case, we see TA505 acting as an early adopter, adapting the abuse of SettingContent-ms files to a PDF-based attack delivered at significant scale. We will continue to monitor ways in which threat actors use this approach in the weeks to come."

See also