A fake installer of Adobe Acrobat Reader is used to distribute a new multi-purpose malware called “Acrobat Reader” Roll eyes.
The starting point of the attack is a PDF file written in Portuguese that displays a blurry image when opened and asks the victim to click on a link to download a Reader application to view the content.
According to Fortinet FortiGuard Labs, clicking on the URL results in the delivery of the installer program (“Reader_Install_Setup.exe”) that initiates the infection sequence. The AhnLab Security Intelligence Center (ASEC) first disclosed details of the campaign last month.
The attack chain uses techniques such as DLL hijacking and Windows User Access Control (UAC) bypass to load a malicious dynamic link library (DLL) file named “BluetoothDiagnosticUtil.dll”, which in turn loads and drops the final payload load. It also deploys legitimate installers for PDF readers such as Wondershare PDFelement.
This binary collects and transmits system metadata to a command and control (C2) server and removes the main module (“chrome.exe”) from another server that also acts as a receiver for files and commands C2.
“Byakugan is a Node.js-based malware packaged into its executable file via pkg,” said security researcher Pei Han Liao. “In addition to the main script, there are several libraries corresponding to the functionality.”
This includes setting up persistence, using OBS Studio to monitor the victim’s desktop, taking screenshots, downloading cryptocurrency mining programs, logging keystrokes, enumerating and uploading files, and scraping data stored in web browsers.
“There is a growing trend to use both clean and malicious components in malware, and Byakugan is no exception,” Fortinet said. “This approach increases the amount of noise generated during analysis, making accurate detection more difficult.”
This disclosure comes as ASEC revealed a new campaign that spreads the Rhadamanthys information stealer under the guise of a groupware installer.
“The threat actor created a fake website that resembled the original website and exploited the advertising feature in search engines to expose the website to users,” the South Korean cybersecurity firm said. “The malware being distributed uses indirect system calls Technology to hide the eyes of security solutions.”
Unknown threat actors have also been found to be using manipulated versions of Notepad++ to deliver the WikiLoader malware, also known as WailingCrab.
