As online attacks continue to grow, sophisticated measures are used by attackers to breach new defenses. To gain unauthorized access to user information, hackers use various methods to install malware (malicious software) into their victim’s device. Recently, a threat actor (blind-eagle) used malicious PDF containing a URL different from the legitimate hyperlink. [2]
PDF file works and supports links, images and written content. It can support both visible and non-visible types of data. PDF files are used most commonly for managing digital documents. PDF document stores data in a well defined structure. There can be different means of infecting victim's system with Malware. Viruses, Trojans, and malware have many ways of hiding inside a PDF and often show up in email downloads or attachments like eBooks and other documents. They usually come from unknown or unfamiliar senders.
Hyperlinks in PDF document - This requires user to click on links in the PDF. The links could be used for redirecting user to a page or section within the PDF or to another website on internet. The URL shown is the real one; however, if the user clicks on it, they are redirected to a different website. Finally, the URL field of this new site contains a URL which downloads a second-stage payload from the public service Discord.
Malicious program encoded within the PDF - Hidden JavaScript code is also used to exploit vulnerabilities in a PDF. A malicious program could be launched simply by opening a malicious PDF. That is, by clicking on and opening a PDF or other file, a user also unknowingly starts up a predator program. Such attacks are technically possible today, but less common.
Hackers try to bypass detections offered using antivirus and anti-malware software. Files and email attachments can have embedded or encrypted objects which prevent detection by cybersecurity measures or users.
Recommendations
1. Do not download or open attachments from suspicious emails or coming from untrusted parties. Recognizing phishing emails by looking for suspicious components like a suspicious email that says it comes from a trustworthy-seeming organization like a financial institution, don’t engage with it. Reach out to that financial institution directly and ask if that email is real.
2. Use a secure trusted PDF reader.
Many times PDF readers downloaded from untrusted sources could could come with vulnerabilities, intentionally malicious capabilities or outdated insecure features. Trusted PDF readers like Adobe Acrobat Reader features regular security updates and is the industry standard for viewing and using PDFs.
3. Running regular virus scans.
References