Phishing PDF files that have CAPTCHA screens are rapidly being mass-distributed this year. A CAPTCHA screen appears upon running the PDF file, but it is not an invalid CAPTCHA. It is simply an image with a link that redirects to a malicious URL. Related types that have been collected by AhnLab’s ASD infrastructure since July up till now amount to 1,500,000. It appears that most of them are distributed overseas, and thus there are fewer cases of damage in Korea. Phishing PDF file types that have been discovered until now had various screen layouts and operation methods, so a case such as this where a specific type is being mass-distributed is worthy of notice.
Most of the PDF files have 3 pages. There is a fake CAPTCHA screen on the first page, and clicking this image redirects the user to the URL specified by /URI. The URI is connected to a traffic redirection service such as feedproxy and traff.ru. (Refer to IOC below for the list of all traffic redirection service URLs.) Traffic redirection service does not host the resource directly. It only provides a redirection service that redirects the user to the destination. In other words, as the attacker can redirect without connecting the malicious file and the final malicious URL directly, the malicious URL can constantly be changed. This kind of redirection method is often used in recent cases of malware.
It appears that the attacker inserted the second and the third page purposefully during the process of automatically creating the PDF file. Each file has different insignificant texts and online links that connect to other phishing PDF files. It appears that all of the PDF files were developed using the wkhtmltopdf command line tool.
Redirection to Malicious URL
The attacker uses the traffic redirection service to move to the final destination. The first URL connected to the CAPTCHA image can be found under the /URI resource in the binaries of the PDF file.
The URL https[:]//feedproxy[.]google[.]com/~r/Uplcv/~3/S30rS-6n6vg/uplcv?utm_term=simple+launcher+for+elderly redirects users to an advertising website, the final destination. The flow of such action is shown below. The next URL is received as a response to the request of each URL. This URL is changed every time it is connected to, and the response URL changes depending on the user’s IP, country, and access environment.
The final destination URL has been confirmed to be an advertising pop-up website. Connection to gambling, advertising, adult websites with a browser notification feature was also available. Furthermore, although there are no such cases found as of now, websites that can download Trojan EXE executable payload intended by the attacker and installation of malicious Chrome extension program have been discovered.
Phishing PDF files with CAPTCHA screens are being developed in mass quantity, thus there is a great number of distribution cases; however, malicious behavior such as redirection to malicious websites is performed only when user clicks the image or URL. This means that further damage can be prevented if users take caution before opening malicious files received from spam mails and such.
Phishing/PDF.Malurl.XG6 and more
https[:]//seumenha[.]ru and more
※ The URLs above are traffic redirection URLs and are not malicious URLs themselves.
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.