Adobe Reader Infostealer Plagues Email Messages in Brazil

Frauds use forged PDF documents to deploy infostealers

A recent email spam campaign reportedly spreads infostealer malware under the guise of Adobe Reader Installer. Within a forged PDF document, there is a request to install Adobe Reader app, that triggers malware downloading and installation. Considering the language of the said documents, this malicious activity mainly targets Portugal and Brazil.

Infostealer Spreads in Fake Adobe Reader Installers

The recent attack campaign detected by ASEC Intelligence Center starts with email spam. The messages have a PDF file attached to them, with their contents in Portuguese. This seriously narrows down the list of countries the campaign is targeting – to Brazil and Portugal. Inside of the file, there is a pop-up prompt to install Adobe Reader, which is allegedly required to open the document. Short side note – modern web browsers can handle PDFs of any complexity with ease.

Following the instruction of a document triggers the downloading of a file named Reader_Install_Setup.exe, which obviously mimics a legit installation file of the program. It even repeats the icon, which makes the fraud even harder to understand at this stage. Running the thing, which in fact is a loader, initiates the malware execution.

Fake Adobe Reader installer

However, it does not happen instantly – malware performs a series of actions to pull the DLL hijack and run the final payload with the max privileges possible. First, it spawns an executable file and drops a DLL that contains actual payload and runs the msdt.exe process. The latter is a genuine Windows diagnostics tool that malware uses to call for a subordinate service.

C:\Windows\SysWOW64\msdt.exe" -path "C:\WINDOWS\diagnotics\index\BluetoothDiagnostic.xml" -skip yes – code used to call for MSDT, specifically its Bluetooth Diagnostic tool

This service will consequently load a malicious DLL I’ve mentioned above. The library, in turn, runs the said executable file, legitimizing the infostealer and providing it with max privileges.

Stealer Malware Analysis

Even though the malware used in the campaign appears to be unique and does not belong to any of the known malware families, its functionality can barely be called unusual. This infostealer gathers basic info about the system, sends it to the command server and then creates a directory to store the collected data. Malware adds the latter to the list of Microsoft Defender exclusions, so it will not disrupt its operations. Also, it mimics the legit Chrome folder by adding a fake executable file and also some of the files typical for a genuine browser folder.

Browser folder copy infostealer
A fake browser folder created by the infostealer to keep the collected data

The C2 servers used by some of the samples confirms the attack targeting hypotheses I’ve mentioned above. Hxxps://thinkforce.com[.]br/ and hxxps://blamefade.com[.]br/ receive the AutoFill data from all the browsers. While this is less than what modern infostealers typically gather, it is still sensible – browsers keep almost all of our passwords.

How to protect against infostealer malware?

Information stealers never were an underdog of the malware world, and they remain a potent threat regardless of the circumstances. However, even though their samples may feature outstanding anti-detection tricks, they still need to get in. And this is where you can avoid them with max efficiency.

Be careful with emails. Email spam is probably going to be the most widespread malware delivery way of this decade. Users tend to believe their content or simply ignore the related risks, which inevitably leads to malware infection. Seeing such a sketchy offer to install a long-forgotten app or perform an action that is not normally needed with this type of documents should raise suspicion. At the same time, texts of such messages may be ridiculous enough to make the fraud apparent.

Use official software sources. It happens for certain files to require specific software, but try to use only official distributions of one. Going to the developer’s site and downloading one is not that longer when compared to clicking a link.

Have decent anti-malware software on hand. Malware finds new spreading ways pretty much every day. To avoid falling victim to the most tricky sample, a software that will not allow it to get in is essential. GridinSoft Anti-Malware is a program that will provide you with real-time protection and network filters with hourly updates. This security tool will make sure that malware will not even launch in the first place.

Adobe Reader Infostealer Plagues Email Messages in Brazil

By Stephanie Adlam

I write about how to make your Internet browsing comfortable and safe. The modern digital world is worth being a part of, and I want to show you how to do it properly.

Leave a comment

Your email address will not be published. Required fields are marked *