The Sneaky “MalDoc in PDF” Technique: A New Way for Hackers to Bypass Antivirus
Hey MCK’s, Today we are going to talk about a serious technique that is currently used by many hackers to gain access and are installing many malware in our systems without our knowledge. Without any delay let’s get started.
In the world of online threats, hackers are cooking up fresh schemes to outsmart our defenses. The latest one making waves is called “MalDoc in PDF.” It’s a tricky move where hackers sneak a nasty Microsoft Word file right into what looks like an innocent PDF document. This sneaky tactic, named “MalDoc in PDF” by the folks at JPCERT/CC, hit the scene in July 2023 with a real-world attack. What makes it a head-scratcher is that this file can open in Microsoft Word, even though it’s got all the markings and structure of a PDF. Once it’s opened in Word, it kicks off a VBS (Visual Basic Script) that does some not-so-friendly stuff, potentially putting your computer in harm’s way. These files are like shape-shifters; they pretend to be more than one thing at once. In this case, they play both sides as a PDF and a Word (DOC) file. The trick here is to hide an MHT file created in Word, along with a crafty macro, inside the PDF. So, you’ve got a PDF that can also play the part of a Word doc.
In simpler terms, this PDF is like a double agent. If you open it as a .DOC file in Microsoft Office, it might try to sneak in an MSI malware file. But we’re not sure exactly what kind of malware it’s carrying. There’s a catch, though. When you download a document from the internet or get it in an email, it often comes with something called a Mark of the Web (MotW). This little guy prompts you to click ‘Enable Editing’ to get out of Protected View. But then, you’ll find out that macros are disabled, which adds a layer of protection. Although we only started seeing real-world MalDoc in PDF attacks recently, there’s evidence that hackers were tinkering with this trick as far back as May. This shows how persistent and crafty these cybercriminals can be.
Now, here’s the kicker: Phishing campaigns using QR codes are on the rise, known as “qishing.” These campaigns often pose as multi-factor authentication (MFA) messages, tricking people into scanning QR codes with their phones, which leads them to fake websites set up by cyber bad guys. One campaign, in particular, has seen an astonishing 2,400% increase since May 2023, targeting Microsoft login details. This goes to show that these social engineering attacks are getting more effective. In a concerning twist, hackers are mixing voice phishing (vishing) with regular phishing tactics to get unauthorized access to systems. In one case, a hacker posed as a delivery driver, using a phone call to convince an employee to read out a code from an email attachment. The email looked harmless but had a fake image, pretending to be an Outlook message with an attachment.
The victim got led down a rabbit hole of redirects to a fake executable that stole data and connected to a shady TOR hidden service. These complex attacks highlight just how crafty hackers can be. In another campaign, a malicious Microsoft Excel file hid a Visual Basic Script that used PowerShell code to download a JPG image. That innocent-looking image could contain malware like Agent Tesla, LimeRAT, or Remcos RAT from a remote server. As if that’s not enough to worry about, there are concerns about something called “name collisions” in the Domain Name System (DNS), which could be used to leak sensitive data. Some domain names that have expired or never even existed can still cause trouble in certain domains.
In this ever-changing world of online threats, we all need to stay on our toes and beef up our online defenses. “MalDoc in PDF” is just one of the tricks up hackers’ sleeves, so staying informed and having strong security measures in place is a must.