AhnLab Security Emergency response Center (ASEC) observed the distribution of PDF files that contain malicious URLs. The domains linked from the PDF files indicate that similar PDFs are being distributed under the guise of downloading certain games or crack versions of program files. Below is a list of some of the PDF files that are being distributed.
Clicking the button within the distributed PDF files connects users to a malicious URL. The figure below is the screen that is displayed upon opening a PDF file. Clicking any of the two buttons shaded in red leads to the following URL.
At the connected link, users are redirected to the following URL.
The figure below shows the website the users are redirected to. Clicking the blue download button downloads an encrypted compressed file and redirects users to a page that displays the password for decryption.
The redirected page displays the string “Archive password: 1234” for decryption to prompt users to decompress and execute the encrypted file. The figure below is the screen that displays the password for decompression after the users are redirected from the file downloading address.
Upon decompressing the downloaded file “Setup.7z” using the password, the File.exe in the figure shown below is created.
When the File.exe process is run with admin privileges, the registry value is modified as shown below to disable Windows Defender.
* HKLM\SOFTWARE\Policies\Microsoft\Windows Defender:DisableAntiSpyware=1
In addition, IP and location information is stolen using the browser login information of the infected PC and an IP location information API website. Then, additional malware are downloaded in the path below.
- C:\Users\%USERNAME%\Pictures\Minor Policy
The downloaded malware types vary from ransomware PUP, Infostealers, droppers, and more. Some of the downloaded files have their properties set to hidden and system. The figure below is the screenshot of some of the malicious files that are downloaded.
As shown in the schematic below, the overall flow of malware distribution goes from a PDF file that contains the initial malicious URL for prompting users to download and execute the malware. The malware downloads and executes numerous other malware such as ransomware, adware, and Infostealers.
In particular, the malware that is downloaded from hxxp://109.107.182[.]2/race/bus50.exe is an SFX file comprised of a CAB file. When the SFX file is executed, a file that performs malicious behaviors and another SFX file are created in the “IXP000.TMP” folder under the %TEMP% path. The SFX file in the subfolder creates folders with names in which the numbers behind the “IXP” string increase (such as “IXP001.TMP”) under the %TEMP% path and results in the creation of subfiles. This process is repeated until a total of 6 SFX files and 7 additional malware are created.
An SFX file in CAB format was introduced in the ASEC Blog in 2021.
Many files with similar formats are being distributed aside from the ones introduced in the ASEC Blog. Users must refrain from using crack and illegal programs and proceed with caution when executing files.
AhnLab’s anti-malware product, V3, detects and blocks the malware using the aliases below. The IOCs are listed on this post as well.
- Phishing/PDF.Generic (2023.10.25.02)
- Downloader/Win.BeamWinHTTP.C5530057 (2023.10.25.02)
- Dropper/Win.Generic.X2198 (2023.10.31.00)
- Trojan/Win.RedLine.R619129 (2023.10.31.01)
- d97fbf9d6dd509c78308731b0e57875a (PDF)
- 9ce00f95fb670723dd104c417f486f81 (File.exe)
- 3837ff5bfbee187415c131cdbf97326b (SFX)
- 7e88670e893f284a13a2d88af7295317 (RedLine)
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.