Stolen Data via Evil PDFs

Submitted by Nick on Tue, 09/04/2018 - 10:22

I subscribe to a newsletter called Cyberheist News. This newsletter is put together by a company named KnowBe4 that specializes in pen testing, phishing, and spoofingoffers companies many options to see where threats may be hidden and also provides online preventative training for users.

Just this morning I received one with an article on a new threat, created and seemingly being deployed by the Turla threat group, that installs a backdoor and exfiltrates data captured via email and a PDF attachment. The threat is real, and extremely hard to find. Not only is the initial threat installed by opening a PDF, but attackers can use PDF's to send commands to the backdoor and retrieve whatever data they may have found via PDF as well.

Using the PDF as the manner of delivery, tasking and transmission is virtually undetectable by most security solutions, making this one nasty bug. If you thought that you might just block the email that is being sent, think again. When the address is blocked, the hacker can recover control by sending another PDF with a new C2 address.

Think of all the emails that you open on a regular basis that might contain PDFs. As a general end-user, it might not be too many, but at the corporate level all it would take is a spoofed email address sending that last TPS report and the office space and all the data belongs to the hacker.