Sunday, January 26, 2025
HomeComputer SecurityEvil Clone Attack - Hackers Injecting Crypto-mining Malware into Legitimate PDF Software

Evil Clone Attack – Hackers Injecting Crypto-mining Malware into Legitimate PDF Software

Published on

SIEM as a Service

Follow Us on Google News

Cybercriminals using a new type of attack called Evil clone to inject Cryptocurrency malware into legitimate PDF software to Mine cryptocurrency with the help of CoinHive miner.

Cryptocurrency malware is dramatically increasing this year to compromise various victims and an attacker generates huge revenue by illegally running miner using victims system resource.

Attackers abusing legitimate PDFescape software application installer to modify the package in order to delivery the crypto-mining malware.

PDFescape is a web-based PDF editor program written in JavaScript, HTML, CSS and ASP. Many Peoples using this software for PDF editing, form filling, page arrangement, printing, saving, and form publishing.

Cybercriminals always using legitimate software to perform malicious activities by applying various modification even though legitimate software’s are secure to use.

In this case, the Attacker went to a depth into the legitimate PDF software PDFescape and create a evil clone.

Cryptomining Malware Injecting Process

Initially, attacker created the similar infrastructure on a server which is controlled by an attacker same as legitimate software vendor infrastructure.

Later they copied all the MSI file from the PDFescape software (installer package file for Windows) and placed it into the newly created infrastructure.

An attacker then decompiled and modified one of MSI and also added the additional malicious files which is represented the coin miner source code that turns the original installer of PDFescape into a malicious one.

This new installer redirect victims into malicious website and downloads the payload with the hidden file.

Attackers spreading this malicious package(pdfescape-desktop-Asian-and-extended-font-pack) in various form, once victim download and execute this malicious file then it drops malicious binary xbox-service.exe.

Then it runs malicious DLL under rundll32 with the name setup.log using the command line:

rundll32 C:\Windows\System32\setup.log.dll

Researchers from Comodo Cybersecurity performed a static analysis that reveals after the DLL file runs malicious process xbox-service.exe,  DLL payload tries to modify the Windows HOSTS file to prevent the infected machine from communication with update servers of various PDF-related apps and security software. Thus malware tries to avoid a remote cleaning and remediation of affected machines.

finally, the malicious DLL contains a dangerous browser script with an embedded link http://carma666.byethost12.com/32.html.

Once the embedded link will be executed then it downloads JavaScript of coinminer named CoinHive that utilize the infected system resource and generate the revenue.

Also Read:

Malware Abuse Google Ads to Injecting Coinhive Cryptocurrency Miner

Chinese Threat Actors Rocke Launching Sophisticated Crypto-mining Malware to Mine Monero Cryptocurrency

Latest articles

Subaru’s STARLINK Connected Car’s Vulnerability Let Attackers Gain Restricted Access

In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a...

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor

A sophisticated cyber campaign dubbed "J-magic" has been discovered targeting enterprise-grade Juniper routers with...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Beware of Fake Captcha Verifications Spreading Lumma Malware

In January, Netskope Threat Labs uncovered a sophisticated global malware campaign leveraging fake CAPTCHA...

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Murdoc Botnet Exploiting AVTECH Cameras & Huawei Routers to Gain Complete Control

Researchers have identified an active malware campaign involving a Mirai botnet variant, dubbed Murdoc,...