Beware! Disguised Adobe Reader Installer That Installs Infostealer Malware

An infostealer disguised as the Adobe Reader installation has been observed. The file is disseminated in PDF format and prompts users to download and run it.

The fake PDF file, according to AhnLab Security Intelligence Center (ASEC), is written in Portuguese and instructs users to download and install Adobe Reader. 

It urges users to download and install malware by informing them that Adobe Reader is needed to open the file.

The Flow Of The Attack

Researchers say the message prompts users to install and download Adobe Reader.

When users click the gray area as seen below, malware is downloaded, and they are redirected to the following message, hxxps://raw.githubusercontent[.]com/fefifojs/reader/main/Reader_Install_Setup.exe

Fake PDF File

“The downloaded file takes the form of the Adobe Reader icon, and its name is set as Reader_Install_Setup.exe.

By taking the disguise of the Adobe Reader installer, it prompts the user to run it”, ASEC researchers shared with Cyber Security News.

Reader_Install_Setup.exe

The downloaded file’s execution procedure has three stages: file creation, DLL Hijacking & UAC Bypass, and Information Leak.

Attack Phases

Following the file creation phase, Reader_Install_Setup.exe uses the following command to launch msdt.exe, a Windows system file, and produces two malicious files.

“C:\Windows\SysWOW64\msdt.exe” -path “C:\WINDOWS\diagnotics\index\BluetoothDiagnostic.xml” -skip yes

Running sdiagnhost.exe as administrator is the function of the msdt.exe process that is now running.

Therefore, when the sdiagnhost.exe process loads BluetoothDiagnosticUtil.dll, the malicious DLL file is loaded.

Following the above process, the threat actor can bypass user account control (UAC) by using DLL hijacking.

During the information leak phase, it generates files, including chrome.exe, and conceals them in the generated path.

Chrome.exe collects system and browser information and sends it to the C2 server.

The created chrome.exe is a malicious file associated with the actual Google Chrome browser, and it impersonates the actual browser executable file by using the same icon.

Consequently, users who acquire files from unauthorized sources should exercise extreme caution when dealing with files that ask them to run malware.

With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Threat Actors Manipulate Search Results to Lure Users to Malicious Websites

Cybercriminals are increasingly exploiting search engine optimization (SEO) techniques and paid advertisements to manipulate search…

1 day ago

Hackers Imitate Google Chrome Install Page on Google Play to Distribute Android Malware

Cybersecurity experts have unearthed an intricate cyber campaign that leverages deceptive websites posing as the…

1 day ago

Dangling DNS Attack Allows Hackers to Take Over Organization’s Subdomain

Hackers are exploiting what's known as "Dangling DNS" records to take over corporate subdomains, posing…

1 day ago

HelloKitty Ransomware Returns, Launching Attacks on Windows, Linux, and ESXi Environments

Security researchers and cybersecurity experts have recently uncovered new variants of the notorious HelloKitty ransomware,…

1 day ago

RansomHub Ransomware Group Hits 84 Organizations as New Threat Actors Emerge

The RansomHub ransomware group has emerged as a significant danger, targeting a wide array of…

1 day ago

Threat Actors Leverage Email Bombing to Evade Security Tools and Conceal Malicious Activity

Threat actors are increasingly using email bombing to bypass security protocols and facilitate further malicious…

2 days ago