This report details a sophisticated attack using malicious online file converters to distribute malware, particularly Arechclient2, through impersonation of legitimate services. The analysis includes methods used by attackers and offers protection recommendations. Affected: online file converters, users, organizations, digital workflows
Keypoints :
- The FBI issued an alert on March 17, 2025, about malicious online file converters.
- Mimicking the legitimate service pdfcandy.com, attackers created fake conversion websites.
- Users are tricked into executing PowerShell commands that install malware.
- Arechclient2 is identified as a variant of the SectopRAT family, known for stealing sensitive information.
- Technical analysis reveals a complex redirection and delivery process for the malware.
- Security recommendations include using trusted tools and implementing robust technical controls.
MITRE Techniques :
- Defense Evasion (T1203): Attackers trick users into executing malicious PowerShell commands.
- Credential Access (T1536): By utilizing Arechclient2, the malware collects sensitive data, including credentials.
- Initial Access (T1071): Using social engineering tactics through fake online conversions to gain access.
- Command and Control (T1071): The malware establishes communication with remote servers to receive commands.
Indicator of Compromise :
- [Domain] candyxpdf[.]com
- [Domain] candyconverterpdf[.]com
- [URL] bind-new-connect[.]click/santa/bee
- [URL] bind-new-connect[.]click/marmaris/later
- [IP Address] 172[.]86[.]115[.]43
- [Hash] adobe[.]zip (Hash: 72642E429546E5AB207633D3C6A7E2E70698EF65)
- [Hash] audiobit[.]exe (Hash: 51de0b104e9ced3028a41d01dedf735809eb7f60888621027c7f00f0fcf9c834)
Views: 27