A recent campaign distributing Snake keylogger involves malicious PDF files that target users with malware via phishing emails. Users need to remain careful when opening unsolicited emails with attachments.

Snake Keylogger Malware Spreading Via PDF File

According to a recent post from HP Threat Research, threat actors have started a new email phishing campaign deploying Snake malware. This campaign uses malicious PDF files to target users with Snake keylogger, where they distribute the malicious PDFs.

As explained, the recent campaign caught HP researchers’ attention owing to its use of PDF document format. According to HP, using PDFs is relatively uncommon in such malware attacks. Instead, the attackers prefer to exploit Microsoft Office document formats like Word or Excel to trick users.

But perhaps, this uniqueness of document abuse could prove more effective for preying on users.

Briefly, the attack begins when the potential victim opens the incoming phishing email that includes a PDF attachment “REMMITANCE INVOICE.pdf”. Clicking on this file asks the user to open a Word document that embeds malware. Opening this .docx file triggers Word to download a .rtf file from a web server. The subsequent processes execute without the user knowing, ultimately running the malware.

Evasive Techniques Applied In The Campaign

HP elaborated that the campaign employs several evasive techniques to stay under the radar, such as shellcode encryption, loading remote-hosted exploits, and embedding malicious files. In addition, the attackers also attempt to exploit an average user’s naiveness regarding software prompts by deceptively naming the malicious Word document. In the campaign analyzed, the attackers named the malicious file “has been verified. However PDF, Jpeg, xlsx, .docx” so that when a potential victim would open the document upon receiving the phishing email, the Adobe Reader prompt would read as,

The file ‘has been verified. However PDF, Jpeg, xlsx, .docs’ may contain programs, macros, or viruses that could potentially harm your computer.

At this point, the victim may open the file considering it safe after reading the “has been verified” in a rush, without noticing the quotation marks for the file name.

While the campaign bears tremendous malicious potential due to its deceptive techniques, it isn’t difficult for the users to steer clear of it. The most important thing to avoid such attacks is never to open attachments in unsolicited emails. Besides, protecting devices with up-to-date anti-malware apps can also help block known malware attacks before infection.