Trojanized PDF Editor application spread through malvertising

Threat Overview

Recently, Cegeka CSIRT investigated multiple incidents involving binaries with the file names ‘ManualFinderApp.exe’ and ‘PDF Editor.exe’. Cegeka CSIRT observed that the incidents started with the download of the malicious .msi package ‘AppSuite-PDF.msi’. The package installs the ‘PDF Editor’ application. The .msi package is hosted on several websites that leverage advertisements to increase their reach. Cegeka CSIRT observed existence of the aforementioned package on several hosts, indicating a broader distribution campaign rather than isolated cases.

During the investigation, Cegeka CSIRT noticed that the .msi package was downloaded from several websites (such as ‘pdfadmin[.]com’, pdfmeta[.]com’, ’pdftraining[.]com’, ‘fullpdf[.]com’ and others). All of the referenced domains share a nearly identical design and were found to distribute similar builds of the ‘AppSuite-PDF.msi’ package.

Analysis of the available telemetry from the affected hosts revealed a consistent sequence of events that lead to the download of ‘AppSuite-PDF.msi’:

• Initial activity starts with users browsing the web and accessing websites that contain ads or redirects;
• Alongside the ad-related web activity, Cegeka CSIRT also observed connections to ‘PDF-themed’ websites hosting the malicious .msi package;
• The .msi package was downloaded from the ‘PDF-themed’ website and was then launched.

This pattern suggests that the threat actor(s) may be leveraging malvertising to promote the application, increasing its visibility and reach across different victims.

Once the download is initiated, the websites showcase execution instructions to the user, instructing the user to run the .msi file. The infection occurs only if there is direct user interaction with the .msi file, meaning the user manually launches the downloaded ’.msi’ file, which then installs the malicious payload on the host.

The diagram below shows a high-level overview of the infection chain.

Recommendations

Cegeka CSIRT encourages organizations to:

• Investigate across their environment whether they observe activity involving the indicators of compromise (IoC) that are provided in our Threat Analysis report.
• Block the indicators of compromise (IoC) in every applicable solution (firewalls, NIDS/NIPS, HIDS/HIPS, EDR/xDR etc.).
• Use Endpoint Detection and Response (EDR) tools to continuously monitor endpoint activity, detect threats and promptly respond with containment and eradication actions in case of detections.
• Encourage browser hygiene by avoiding the storage of sensitive information (credentials, credit card data or personal information) in the browser.
• Consider enforcing security controls and policies that allow only business-approved applications to be installed or executed on corporate devices.
• Establish an internal Security Operation Center (SOC) / Cybersecurity Incident Response Team (CSIRT) or partner with a Managed Security Services Provider to ensure continuous threat detection and prompt incident response.

Threat Analysis Report

Please find the full Cegeka CSIRT threat analysis report which includes the observed indicators of compromise here:

Cegeka Modern SOC

Our Cegeka Modern SOC, staffed with experienced security professionals, is able to detect these types of attacks and adequately respond to them in a timely manner, minimizing or even fully preventing impact on your organization.