Keypoints
- Threat delivered via a Portuguese-language PDF that instructs users to download an Adobe Reader installer, linking to a raw GitHub URL for Reader_Install_Setup.exe.
- Downloaded executable (Reader_Install_Setup.exe) creates %TEMP%require.exe and BluetoothDiagnosticUtil.dll under %AppData%LocalMicrosoftWindowsApps, then launches msdt.exe to trigger escalation.
- Attack abuses msdt.exe to run sdiagnhost.exe as administrator, which loads the malicious BluetoothDiagnosticUtil.dll (DLL hijacking) and causes require.exe to execute from DllMain.
- require.exe collects PC information, creates %AppData%RoamingChromeApplication, adds that path to Windows Defender exclusions, and drops a disguised chrome.exe.
- The dropped chrome.exe harvests system and browser information and communicates with C2 domains hxxps://blamefade.com[.]br and hxxps://thinkforce.com[.]br.
- AhnLab V3 detections and multiple MD5 hashes are provided as IOCs for detection and response.
MITRE Techniques
- [T1204] User Execution – The lure PDF prompts users to download and run a fake Adobe Reader installer (‘…it prompts the user to download the malware and install it.’).
- [T1574.001] DLL Side-Loading / DLL Hijacking – sdiagnhost.exe loads a malicious BluetoothDiagnosticUtil.dll leading to execution of require.exe (‘Loads malicious BluetoothDiagnosticUtil.dll (DLL Hijacking)’).
- [T1548.002] Bypass User Account Control – The chain uses msdt.exe to run sdiagnhost.exe as administrator and leverages DLL hijacking to escalate without UAC prompts (‘the threat actor can bypass user account control (UAC) via DLL hijacking.’).
- [T1071.001] Application Layer Protocol: Web Protocols – The malware communicates with C2 servers over HTTPS (‘Collects PC information and communicates with C2’).
- [T1041] Exfiltration Over C2 Channel – Collected system and browser information is sent to C2 endpoints (‘Collects system information along with the user’s browser information and sends them to the C2 server’).
- [T1036.005] Masquerading: Match Legitimate Name or Location – The dropped chrome.exe impersonates the legitimate browser executable by using the same icon (‘disguises as the actual browser executable file by using the identical icon of the actual browser icon’).
Indicators of Compromise
- [File name] Distribution and payload names – Reader_Install_Setup.exe, require.exe, chrome.exe
- [DLL] Malicious module – BluetoothDiagnosticUtil.dll (loaded by sdiagnhost.exe via DLL hijacking)
- [URL] Download host – hxxps://raw.githubusercontent[.]com/fefifojs/reader/main/Reader_Install_Setup.exe
- [C&C] Command-and-control domains – hxxps://blamefade.com[.]br, hxxps://thinkforce.com[.]br
- [MD5] Sample hashes – 84526c50bc14838ddd97657db7c760ca, 0eebfc748bc887a6ef5bade20ef9ca6b (and 2 more hashes)
ASEC observed a campaign delivering an infostealer disguised as a PDF that instructs victims to install Adobe Reader; clicking the embedded area redirects to a raw GitHub-hosted executable (Reader_Install_Setup.exe) which uses an Adobe Reader icon to encourage execution. Once run, the installer creates two files (require.exe in %TEMP% and BluetoothDiagnosticUtil.dll under %AppData%LocalMicrosoftWindowsApps) and launches the signed system tool msdt.exe with a diagnostic XML path to trigger sdiagnhost.exe.
msdt.exe runs sdiagnhost.exe elevated; sdiagnhost.exe loads BluetoothDiagnosticUtil.dll from the user-writable path (DLL hijacking). The malicious DLL contains no normal exports and instead runs require.exe from its DllMain; this sequence effectively bypasses UAC by abusing a trusted system binary to load attacker-controlled code.
require.exe collects system and browser details, contacts C2 infrastructure (hxxps://blamefade.com[.]br and hxxps://thinkforce.com[.]br), creates %AppData%RoamingChromeApplication, adds that path to Windows Defender exclusions, drops a disguised chrome.exe, and sends harvested data to the C2. Detection can focus on the named files, the specified hashes, the raw GitHub download URL, the C2 domains, and the Defender exclusion activity.
Read more: https://asec.ahnlab.com/en/62853/