Phishing PDF Files with CAPTCHA Screen Being Mass-distributed

Phishing PDF files that have CAPTCHA screens are rapidly being mass-distributed this year. A CAPTCHA screen appears upon running the PDF file, but it is not an invalid CAPTCHA. It is simply an image with a link that redirects to a malicious URL. Related types that have been collected by AhnLab’s ASD infrastructure since July up till now amount to 1,500,000. It appears that most of them are distributed overseas, and thus there are fewer cases of damage in Korea. Phishing PDF file types that have been discovered until now had various screen layouts and operation methods, so a case such as this where a specific type is being mass-distributed is worthy of notice.

Screen Layout

Most of the PDF files have 3 pages. There is a fake CAPTCHA screen on the first page, and clicking this image redirects the user to the URL specified by /URI. The URI is connected to a traffic redirection service such as feedproxy and traff.ru. (Refer to IOC below for the list of all traffic redirection service URLs.) Traffic redirection service does not host the resource directly. It only provides a redirection service that redirects the user to the destination. In other words, as the attacker can redirect without connecting the malicious file and the final malicious URL directly, the malicious URL can constantly be changed. This kind of redirection method is often used in recent cases of malware.

It appears that the attacker inserted the second and the third page purposefully during the process of automatically creating the PDF file. Each file has different insignificant texts and online links that connect to other phishing PDF files. It appears that all of the PDF files were developed using the wkhtmltopdf command line tool.

Redirection to Malicious URL

The attacker uses the traffic redirection service to move to the final destination. The first URL connected to the CAPTCHA image can be found under the /URI resource in the binaries of the PDF file.

The URL https[:]//feedproxy[.]google[.]com/~r/Uplcv/~3/S30rS-6n6vg/uplcv?utm_term=simple+launcher+for+elderly redirects users to an advertising website, the final destination. The flow of such action is shown below. The next URL is received as a response to the request of each URL. This URL is changed every time it is connected to, and the response URL changes depending on the user’s IP, country, and access environment.

The final destination URL has been confirmed to be an advertising pop-up website. Connection to gambling, advertising, adult websites with a browser notification feature was also available. Furthermore, although there are no such cases found as of now, websites that can download Trojan EXE executable payload intended by the attacker and installation of malicious Chrome extension program have been discovered.

Phishing PDF files with CAPTCHA screens are being developed in mass quantity, thus there is a great number of distribution cases; however, malicious behavior such as redirection to malicious websites is performed only when user clicks the image or URL. This means that further damage can be prevented if users take caution before opening malicious files received from spam mails and such.

File Detection

Phishing/PDF.Malurl
Phishing/PDF.Malurl.XG4
Phishing/PDF.Malurl.XG5
Phishing/PDF.Malurl.XG6 and more

IOC

https[:]//ttraff[.]ru
http[:]//yughzlegelsmelne[.]scdd[.]ru
http[:]//yakutiaprime[.]ru
https[:]//vmkstroi[.]ru
http[:]//yughzlegelsmelne[.]scdd[.]ru
http[:]//yakutiaprime[.]ru
https[:]//irlanc[.]ru
http[:]//yughclewdenergy[.]scdd[.]ru
http[:]//acutecardio[.]ru
https[:]//pixomot[.]ru
https[:]//jumiwimov[.]ru
https[:]//oniceh[.]ru
https[:]//cctraff[.]ru
https[:]//mezovuduw[.]ru
https[:]//infrive[.]ru
https[:]//oniceh[.]ru
https[:]//seumenha[.]ru and more

※ The URLs above are traffic redirection URLs and are not malicious URLs themselves.

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

104bb6aee51fd308bbf482827c85be83
73c0cb73f9c78c6ddc275dc474907d85
8009997b8ab566e62613570f4d506c78
88acc7e871d22666b8da72ba594524a2
aa19a69f6869db108b996de8fb3b7e39
ad7fbfc9e216fef21ecc2e74b0ab9ba2
b849a021bfe1bee16b8820e90ee82256
bfc460f729b1a07ce743b8cd31926a68
e51659ef7c9535ac6fe3f8388458e308
f7d5d7187fe6055bfc1036d3929b95d8

Categories:Malware Information

Tagged as:, , ,

5 1 vote
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments