Malware campaigns use fake PDFs as vectors to sneak malicious PowerShell commands into the machine, allowing attackers to steal crypto wallets, hijack browser credentials and information.
Following last month’s FBI alert, the CloudSek Security Research team conducted an investigation to reveal more details about the attack.
The goal is to run a PowerShell command that will trick users into installing ArechClient2 Malware, a variant of Sectoprat, a family known to harvest sensitive data from victims.
Malicious websites will impersonate the legitimate file converter PDFCandy, but instead of loading the actual software, the malware will be downloaded. The site features roadbars and Captcha verifications to induce users to false sense of security.
Ultimately, after some redirects, the victim’s machine downloads the “Adobe.Zip” file containing the payload. This will expand the device to Remote Access Trojan, which has been active since 2019.
This will leave users open to theft of data, such as browser credentials and cryptocurrency wallet information.
The malware “checks the expansion store, lifts seed phrases, and even taps on the Web3 API to the ghost drain assets after approval,” according to Stephen Ajayi, DAPP audit technical lead at blockchain security company Hacken. Decryption.
CloudSek advised to use antivirus and antimalware software to “verify file types beyond extensions” as malicious files often pretend to be legitimate document types.
Cybersecurity companies also advise users to consider using “a “reliable and reputable file conversion tool from official websites rather than searching for “free online file converters” and not using “an offline conversion tool to not upload files to remote servers.”
Hacken’s Ajayi added to Crypto users, “trust is a spectrum, acquired, not given. Assuming there is nothing secure by default in cybersecurity,” he said, “we can apply the idea of zero trust, keep the security stack up to date, and in particular EDR and AV tools can flag anomalies of behavior like Rogue Msbuild.exe activity.”
“Attackers are constantly evolving, and so should advocates,” Ajay noted, “regular training, situational awareness, and strong detection coverage are essential. Be skeptical, always prepare a tested response playbook for the worst-case scenario.”
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
