Search results for PDF | Breaking Cybersecurity News | The Hacker News

Malicious actors are using a legitimate Rust-based injector called  Freeze[.]rs  to deploy a commodity malware called XWorm in victim environments. The novel attack chain, detected by Fortinet FortiGuard Labs on July 13, 2023, is initiated via a phishing email containing a booby-trapped PDF file. It has also been used to introduce Remcos RAT by means of a crypter called SYK Crypter, which was first documented by Morphisec in May 2022. "This file redirects to an HTML file and utilizes the 'search-ms' protocol to access an LNK file on a remote server," security researcher Cara Lin  said . "Upon clicking the LNK file, a PowerShell script executes Freeze[.]rs and SYK Crypter for further offensive actions." Freeze[.]rs, released on May 4, 2023, is an  open-source red teaming tool  from Optiv that functions as a payload creation tool used for circumventing security solutions and executing shellcode in a stealthy manner. "Freeze[.]rs utilizes multiple te

Are you using Foxit PDF Reader? If yes, then you need to watch your back. Security researchers have discovered two critical zero-day security vulnerabilities in Foxit Reader software that could allow attackers to execute arbitrary code on a targeted computer, if not configured to open files in the Safe Reading Mode. The first vulnerability (CVE-2017-10951) is a command injection bug discovered by researcher Ariele Caltabiano working with Trend Micro's Zero Day Initiative (ZDI), while the second bug (CVE-2017-10952) is a file write issue found by Offensive Security researcher Steven Seeley. An attacker can exploit these bugs by sending a specially crafted PDF file to a Foxit user and enticing them to open it. Foxit refused to patch both the vulnerabilities because they would not work with the "safe reading mode" feature that fortunately comes enabled by default in Foxit Reader. "Foxit Reader & PhantomPDF has a Safe Reading Mode which is enabled by d

Identities now transcend human boundaries. Within each line of code and every API call lies a non-human identity. These entities act as programmatic access keys, enabling authentication and facilitating interactions among systems and services, which are essential for every API call, database query, or storage account access. As we depend on multi-factor authentication and passwords to safeguard human identities, a pressing question arises: How do we guarantee the security and integrity of these non-human counterparts? How do we authenticate, authorize, and regulate access for entities devoid of life but crucial for the functioning of critical systems? Let's break it down. The challenge Imagine a cloud-native application as a bustling metropolis of tiny neighborhoods known as microservices, all neatly packed into containers. These microservices function akin to diligent worker bees, each diligently performing its designated task, be it processing data, verifying credentials, or

Sandboxes are synonymous with dynamic malware analysis. They help to execute malicious files in a safe virtual environment and observe their behavior. However, they also offer plenty of value in terms of static analysis. See these five scenarios where a sandbox can prove to be a useful tool in your investigations. Detecting Threats in PDFs PDF files are frequently exploited by threat actors to deliver payloads. Static analysis in a sandbox makes it possible to expose any threat a malicious PDF contains by extracting its structure. The presence of JavaScript or Bash scripts can reveal a possible mechanism for downloading and executing malware.  Sandboxes like ANY.RUN also allows users to scrutinize URLs found in PDFs to identify suspicious domains, potential command and control (C2) servers, or other indicators of compromise. Example: Static analysis of a PDF file in ANY.RUN Interactivity allows our users to manipulate files within a VM as they wish, but static Discovery offers

Researchers have disclosed an unpatched security vulnerability in " dompdf ," a PHP-based HTML to PDF converter, that, if successfully exploited, could lead to remote code execution in certain configurations. "By injecting CSS into the data processed by dompdf, it can be tricked into storing a malicious font with a .php file extension in its font cache, which can later be executed by accessing it from the web," Positive Security researchers Maximilian Kirchmeier and Fabian Bräunlein  said  in a report published today. In other words, the flaw  allows  a malicious party to upload font files with a .php extension to the web server, which can then be activated by using an  XSS vulnerability  to inject HTML into a web page before it's rendered as a PDF. This meant that the attacker could potentially navigate to the uploaded .php script, effectively permitting remote code execution on the server. This can have significant consequences on websites that require

The North Korean threat actor known as the Lazarus Group has been observed shifting its focus and rapidly evolving its tools and tactics as part of a long-running campaign called  DeathNote . While the nation-state adversary is known for persistently singling out the cryptocurrency sector, recent attacks have also targeted automotive, academic, and defense sectors in Eastern Europe and other parts of the world, in what's perceived as a "significant" pivot.  "At this point, the actor switched all the decoy documents to job descriptions related to defense contractors and diplomatic services," Kaspersky researcher Seongsu Park  said  in an analysis published Wednesday. The deviation in targeting, along with the use of updated infection vectors, is said to have occurred in April 2020. It's worth noting that the DeathNote cluster is also tracked under the monikers  Operation Dream Job  or  NukeSped . Google-owned Mandiant has also tied a subset of the activit

McAfee said it has found a vulnerability in Adobe Systems' Reader program that reveals when and where a PDF document is opened. The issue emerges when some users launch a link to another file path, which calls on a JavaScript application programming interface (API), while Reader alerts a user when they are going to call on a resource from another place. The issue is not a serious problem and does not allow for remote code execution, but McAfee does consider it a security problem and has notified Adobe. It affects every version of Adobe Reader, including the latest version, 11.0.2. " We have detected some PDF samples in the wild that are exploiting this issue. Our investigation shows that the samples were made and delivered by an 'email tracking service' provider. We don't know whether the issue has been abused for illegal or APT attacks ," wrote McAfee's Haifei Li. McAfee declined to reveal the details of the vulnerability as Adobe i

Trojans were the most prolific malware threat in February-March, and collaboration seems to be the name of the game in malware development and distribution. Trojan-based attacks continue to be the biggest malware threat in February, but PDF exploits aren't far behind, according to several security reports. About 1 in 290 e-mails in February were malicious, making the month one of the most prolific periods for the threats, according to Symantec's February 2011 MessageLabs Intelligence Report. The global ratio of spam in e-mail traffic was 81.3 percent, an increase of 2.7 percent since January, the report found. The recent decline in spam appears to have reversed for the time being, according to the report. There was a lot of botnet activity in February, and the perpetrators appeared to be working together to some extent to distribute Trojans, according to Symantec. There were signs of integration across Zeus, Bredolab and SpyEye, as techniques associated with one malware family w

A new Android malware campaign has been observed pushing the Anatsa banking trojan to target banking customers in the U.S., U.K., Germany, Austria, and Switzerland since the start of March 2023. "The actors behind Anatsa aim to steal credentials used to authorize customers in mobile banking applications and perform Device-Takeover Fraud (DTO) to initiate fraudulent transactions," ThreatFabric  said  in an analysis published Monday. The Dutch cybersecurity company said Anatsa-infected Google Play Store  dropper apps  have accrued over 30,000 installations to date, indicating that the official app storefront has become an effective distribution vector for the malware. Anatsa, also known by the name TeaBot and Toddler, first  emerged  in  early 2021 , and has been observed  masquerading  as  seemingly innocuous utility apps  like PDF readers, QR code scanners, and two-factor authentication (2FA) apps on Google Play to siphon users' credentials. It has since become one o

FireEye researchers recently came across a zero-day security flaw in Adobe Reader that's being actively exploited in the wild. The zero-day vulnerability is in Adobe PDF Reader 9.5.3, 10.1.5, 11.0.1 and earlier versions. According to researchers, once malware takes advantage of the flaw, its payload drops two dynamic-link libraries, or DLLs, which are application extensions used by executable files to perform a task. In this case, they allow the infected computer to communicate with a hacker-owned server. No additional details about the zero-day vulnerabilities have been publicly released, and but researchers with antivirus provider Kaspersky Lab have confirmed the exploit can successfully escape the Adobe sandbox. " We have already submitted the sample to the Adobe security team. Before we get confirmation from Adobe and a mitigation plan is available, we suggest that you not open any unknown PDF files ," said FireEye team. But until the vulnerability gets patched,

If you're a daily computer user, you're likely aware of all the threats you face every day online in the form of viruses and malware . CryptoLocker , a new ransomware malware, began making the rounds several months ago. This ransomware is particularly nasty because infected users are in danger of losing their personal files forever. Ransomware is designed to extort money from computer users by holding computer files hostage until the computer user pays a ransom fee to get them back. The Cryptolocker hijacker sniffs out your personal files and wraps them with strong encryption before it demands money. Cryptolocker is spread through malicious hyperlinks shared via social media and spam emails, like fake UPS tracking notification emails. The original demanded payments of $100 to decrypt files, but the new and improved version demanding $300 from victims. Apparently, the encryption is created using a unique RSA-2048 public key. The decryption key is located o

If you have an online account with Foxit Software, you need to reset your account password immediately—as an unknown attacker has compromised your personal data and log-in credentials. Foxit Software, a company known for its popular lightweight Foxit PDF Reader and PhantomPDF applications being used by over 525 million users, today announced a data breach exposing the personal information of 'My Account' service users. Though for using free versions of any Foxit PDF software doesn't require users to sign up with an account, the membership is mandatory for customers who want to access "software trial downloads, order histories, product registration information, and troubleshooting and support information." According to a blog post published today by Foxit, unknown third-parties gained unauthorized access to its data systems recently and accessed its "My Account" registered users' data, including their email addresses, passwords, users' n

FireEye Security experts are analyzing a targeted trojan that leverages emailed PDF files to gain access to systems and deliver its payload to specified networks in the aerospace, chemical, defense and tech industries. " We have seen different versions of this malware arriving as an exe inside a zipped file or as a PDF attachment. In this particular sample, the exe once executed opens up a PDF file called "Health Insurance and Welfare Policy." In addition to opening up a PDF file, the initial exe also drops another executable called ABODE32.exe (notice the typo) in the temp directory ." The malware also uses JavaScript to assess which version of Adobe Reader is currently running on the host machine, and then executes attacks based on known vulnerabilities in the discovered version. Once the trojan has infected its host machine, it communicates with its command and control server, the user agent string and URI of which are hard-coded into MyAgent's binary. FireEye

Users in Brazil are the target of a new banking trojan known as  CHAVECLOAK  that's propagated via phishing emails bearing PDF attachments. "This intricate attack involves the PDF downloading a ZIP file and subsequently utilizing DLL side-loading techniques to execute the final malware," Fortinet FortiGuard Labs researcher Cara Lin  said . The attack chain involves the use of contract-themed DocuSign lures to trick users into opening PDF files containing a button to read and sign the documents. In reality, clicking the button leads to the retrieval of an installer file from a remote link that's shortened using the Goo.su URL shortening service. Present within the installer is an executable named "Lightshot.exe" that leverages DLL side-loading to load "Lightshot.dll," which is the CHAVECLOAK malware that facilitates the theft of sensitive information. This includes gathering system metadata and running checks to determine whether the compromis

Multiple companies operating in the cryptocurrency sector are the target of an ongoing malware campaign that involves a newly discovered Apple macOS backdoor codenamed RustDoor. RustDoor was  first documented  by Bitdefender last week, describing it as a Rust-based malware capable of harvesting and uploading files, as well as gathering information about the infected machines. It's distributed by masquerading itself as a Visual Studio update. While prior evidence uncovered at least three different variants of the backdoor, the exact initial propagation mechanism remained unknown. That said, the Romanian cybersecurity firm subsequently told The Hacker News that the malware was used as part of a targeted attack rather than a shotgun distribution campaign, noting that it found additional artifacts that are responsible for downloading and executing RustDoor. "Some of these first stage downloaders claim to be PDF files with job offerings, but in reality, are scripts that downl

A previously undocumented threat actor dubbed  SPIKEDWINE  has been observed targeting officials in European countries with Indian diplomatic missions using a new backdoor called WINELOADER . The adversary, according to a  report  from Zscaler ThreatLabz, used a PDF file in emails that purported to come from the Ambassador of India, inviting diplomatic staff to a wine-tasting event on February 2, 2024. The  PDF document  was uploaded to VirusTotal from Latvia on January 30, 2024. That said, there is evidence to suggest that this campaign may have been active at least since July 6, 2023, going by the discovery of  another similar PDF file  uploaded from the same country. "The attack is characterized by its very low volume and the advanced tactics, techniques, and procedures (TTPs) employed in the malware and command-and-control (C2) infrastructure," security researchers Sudeep Singh and Roy Tay said. Central to the novel attack is the PDF file that comes embedded with a malicious

The North Korea-backed Lazarus Group has been observed targeting job seekers with malware capable of executing on Apple Macs with Intel and M1 chipsets. Slovak cybersecurity firm ESET linked it to a campaign dubbed " Operation In(ter)ception " that was first disclosed in June 2020 and involved using social engineering tactics to trick employees working in the aerospace and military sectors into opening decoy job offer documents. The latest attack is no different in that a job description for the Coinbase cryptocurrency exchange platform was used as a launchpad to drop a signed Mach-O executable. ESET's analysis comes from a sample of the binary that was uploaded to VirusTotal from Brazil on August 11, 2022. "Malware is compiled for both Intel and Apple Silicon," the company  said  in a series of tweets. "It drops three files: a decoy PDF document ' Coinbase_online_careers_2022_07.pdf ', a bundle  'FinderFontsUpdater.app ,' and a downloa

If you're one of the 400 million Android users out there who have installed Adobe Reader app that helps you to view PDF documents on mobile devices, then you should immediately update your app from Google Play Store. Adobe has released an updated Adobe Reader 11.2.0 version to addresses an important vulnerability that could be exploited to gain 'remote code execution' ability on the affected system. According to the Adobe  advisory , vulnerability ( CVE-2014-0514 ) resides in the implementation of JavaScript APIs on Adobe Reader 11.2 that could be exploited to execute arbitrary code within Adobe Reader. Adobe vulnerability discovered by security researcher  Yorick Koster of Securify BV , claimed that an attacker can create a specially crafted PDF file containing malicious JavaScript code that triggers when the victim will try to open it using affected Adobe Reader for Android Operating System. Multiple attack vectors are available to deploy a malicio