Infostealer Disguised as Adobe Reader Installer

Malware Analysis
1

AhnLab SEcurity intelligence Center (ASEC) recently discovered the distribution of an infostealer disguised as the Adobe Reader installer. The threat actor is distributing the file as PDF, prompting users to download and run the file.

As shown in the Figure 1, the fake PDF file is written in Portuguese, and the message tells the users to download the Adobe Reader and install it. By telling the users that Adobe Reader is required to open the file, it prompts the user to download the malware and install it.

Figure 1. The fake PDF file

Upon clicking gray area shown in the Figure 1, users are redirected to the following message, and the malware gets downloaded.

  • hxxps://raw.githubusercontent[.]com/fefifojs/reader/main/Reader_Install_Setup.exe

The downloaded file takes the form of the Adobe Reader icon, and its name is set as Reader_Install_Setup.exe. By taking the disguise of the Adobe Reader installer, it prompts the user to run it.

Figure 2. Reader_Install_Setup.exe

The figure below shows the comprehensive flow of the attack, from disguising the malware as the PDF file to downloading and running it.

Figure 3. The flow chart

The execution process of the downloaded file can be divided into three phases.

  1. File creation
  2. DLL Hijacking & UAC Bypass
  3. Information Leak

1. File Creation

When the malicious file Reader_Install_Setup.exe is run, it performs the following activities.

[Reader_Install_Setup.exe]
1. Creates %TEMP%\require.exe
2. %AppData%\Local\Microsoft\WindowsApps\BluetoothDiagnosticUtil.dll
3. Runs msdt.exe

2. DLL Hijacking& UAC Bypass

Reader_Install_Setup.exe creates two malicious files and runs msdt.exe—a Windows system file—using the following command.

"C:\Windows\SysWOW64\msdt.exe" -path "C:\WINDOWS\diagnotics\index\BluetoothDiagnostic.xml" -skip yes

The executed msdt.exe process performs the role of running sdiagnhost.exe as administrator.

[msdt.exe]
1. Performs recursive execution as administrator
2. Runs sdiagnhost.exe

sdiagnhost.exe loads malicious BluetoothDiagnosticUtil.dll.

[sdiagnhost.exe]
1. Loads malicious BluetoothDiagnosticUtil.dll (DLL Hijacking)
2. require.exe is executed by the malicious DLL module’s DllMain function

By default, the Windows system has the path “%AppData%\Local\Microsoft\WindowsApps” registered as the PATH environment variable. As such, the malicious DLL file is loaded when the sdiagnhost.exe process loads BluetoothDiagnosticUtil.dll.

Through the process above, the threat actor can bypass user account control (UAC) via DLL hijacking.

Unlike normal DLL files, malicious BluetoothDiagnosticUtil.dll does not contain the export function and only possesses the DllMain function.
In the DllMain function, the malicious require.exe file created by Reader_Install_Setup.exe is executed.

Figure 4. The DLL Main function of BluetoothDiagnosticUtil.dll
Figure 5. Executing require.exe using the CreateProcess function

3. Information Leak

The executed require.exe performs the following activities:

[require.exe]
1. Collects PC information and communicates with C2
– C2 URL: hxxps://blamefade.com[.]br/
2. Creates the following path and adds the path to Windows Defender exclusion
– Path: %AppData%\Roaming\ChromeApplication
3. Creates files including chrome.exe at the created path and hides them

Figure 6. The generated ChromeApplication folder

The created chrome.exe is a malicious file that is unrelated to the actual Google Chrome browser, and it disguises as the actual browser executable file by using the identical icon of the actual browser icon.

[chrome.exe]
1. Collects system information along with the user’s browser information and sends them to the C2 server
– C2 URL : hxxps://thinkforce.com[.]br/

Given the information above, users must take extra caution when interacting with files that prompt users to run malware by running the files downloaded from unofficial sources.

The V3 detection information and IOC are as follows:

Figure 7. V3 file detection information
Figure 8. V3 behavior detection information

[File Detection]
– Trojan/Win.Agent.C5594460 (2024.02.28.00)
– Infostealer/Win.Agent.C5594461 (2024.02.28.00)
– Trojan/Win.Agent.C5594846 (2024.02.28.00)
– Phishing/PDF.Agent (2024.02.24.00)

[Behavior Detection]
– Malware/MDP.Drop.M254 (2017.01.18.00)

[IOC Info]

[MD5]
84526c50bc14838ddd97657db7c760ca
0eebfc748bc887a6ef5bade20ef9ca6b
b24441f5249d173015dd0547d1654c6a
02b96e2079bbc151222bb5bd10a4be9d

[C&C]
hxxps://blamefade.com[.]br/
hxxps://thinkforce.com[.]br/

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post Infostealer Disguised as Adobe Reader Installer appeared first on ASEC BLOG.

Article Link: Infostealer Disguised as Adobe Reader Installer - ASEC BLOG