Threat actors increasingly weaponize PDFs in email-borne attacks to gain initial access, with Qakbot and IcedID delivering payloads via malicious links and multi-stage chains. The article also covers social engineering, exploit techniques against PDF readers, and mitigations like disabling JavaScript and keeping readers updated. #Qakbot #IcedID #BazarCall #CVE-2017-11882 #CVE-2021-28550 #AdobeAcrobat #TrustwaveSpiderLabs
Keypoints
- PDFs are being used as an effective initial access vector in malspam campaigns, rising in prominence in early 2023.
- PDFs’ ubiquity, perceived trustworthiness, and difficulty of detection make them attractive for social engineering and phishing playbooks.
- Attackers leverage malicious hyperlinks in PDFs to direct victims to credential-phishing sites or to drop malware, notably seen with Qakbot and IcedID.
- An infection chain can involve PDFs dropping archives or scripts, using JavaScript in the PDF (including actions like OpenAction and EmbeddedFile) to deliver payloads.
- Techniques include password-protected archives, embedded Office documents, and CVE exploits (e.g., CVE-2017-11882, CVE-2021-28550) to execute code on the target system.
- Social engineering extends to call-back phishing and invoice-themed emails designed to elicit a phone call or sensitive data, exemplified by BazarCall-style activity.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Attachment – The PDF acts as the initial lure in malspam with attachments like invoices; “In this attack, cybercriminals initially sent an email… with an attached invoice in PDF.”
- [T1566.002] Phishing: Spearphishing Link – PDFs contain malicious links that lead to credential phishing sites or malware drops; “Attackers commonly use PDF documents to deliver malicious links to victims. For instance, a PDF may contain a link that appears to be legitimate but leads the users to a website that phishes their login credentials or drops malware onto their system.”
- [T1059.007] JavaScript – PDF dropper uses JavaScript actions to drop and launch embedded files; “A case we encountered utilized JavaScript action to drop and launch embedded Office Document in the PDF file itself.”
- [T1027.001] Obfuscated/Compressed Files and Information – Variants drop a password-protected archive within the PDF chain; “There’s a variant where the embedded link drops a password-protected archive, and the password is included in the maliciously crafted PDF.”
- [T1203] Exploitation for Client Execution – The payload chain ends with exploits like CVE-2017-11882 (Word/Office) to execute payloads; “The resulting payload is an RTF document loaded with the CVE-2017-11882 exploit and launched when opened with Microsoft Word.”
- [T1566.001] Phishing: Spearphishing Attachment – Callback phishing described as emails prompting victims to call a number to cancel a subscription, aligning with phishing social engineering; “Callback phishing was first spotted… prompted through phishing emails to call a number to cancel a subscription.”
Indicators of Compromise
- [File Name] – Example: ProjectFunding-238992265.pdf, ProjectFunding_D392.wsf, aGiEOMg5zFKYNbCw.txt (XMLHTTP), asX6RVUBjtpro2bP9.txt (XMLHTTP); context: Qakbot-related artifacts observed in PDF/XMLHTTP delivery chains (and 2 more file names).
- [SHA256] – Examples: ce3a18f51cd723a680e6d108a3803dc6d56f25477472042aa63d77f59fa9d5e7, 37dc95539b7255458a64617a2e71f84c618053ad02634bbdfa554627c664d6ad; context: file payloads associated with Qakbot dropper.
- [SHA1] – Examples: b25bd2589c93bb4cb4378b296cc9fe1a08af14e4, 02965537fa2e861e4b4c494ac18e21d628d8afc0; context: hashes of suspicious PDFs/JS dropper components.
- [MD5] – Examples: c9fce8da66737ef10a06982b0abf667b, 3166b32e8a67f5c232d114c4f8ef576b; context: additional file hashes tied to the Qakbot chain.
- [URL] – Examples: hxxp://ncs[.]com[.]pk/pki/64482841d65cc[.]zip, hxxps://4iptv[.]eu/tsqu/tsqu[.]php; context: external resources hosted to deliver payloads.