Byte Bandits: How Fake PDF Converters Are Stealing More Than Just Your Documents Summary:
Summary:
CloudSEK researchers have uncovered a new campaign exploiting the popularity of PDFCandy[.]com, a widely-used online file conversion tool that is especially popular in India. Per their investigation, which occurred due to the FBI's Denver field office issuing an alert regarding malicious online file converters being used to distribute malware, CloudSEK observed attackers distributing ArechClient2 malware to steal sensitive information like credentials from the browser. ArechClient2 malware is a variant of the SectopRAT family. SectopRAT family malware has been actively utilized in attacks since at least 2019 and is often seen being distributed through deceptive online advertising via Google Ads or fake software updates. The adversary has created a malicious PDF-to-DOCX converter that impersonates the legitimate service pdfcandy.com. According to CloudSEK, this copycat service meticulously replicates the genuine platform and utilizes similar-looking domains to better deceive potential victims. Upon landing on the fraudulent site, users are prompted to upload a PDF file for conversion, further enhancing legitimacy. After initiating the PDF conversion process, the malicious website employs a CAPTCHA ClickFix technique to trigger the payload. The redirection chain following the PowerShell command is sophisticated and the actual endpoint domain is known to host SectopRAT.
Security Officer Comments:
The meticulously crafted user flow on the fraudulent website demonstrates the adversary’s familiarity with web design conventions and by relying on their understanding of human psychology, they help emphasize the sophisticated nature of this phishing attack. The transition from social engineering to system compromise is a critical point in the attack chain, as this user interaction is paramount to the campaign’s success. The sophisticated redirection chain further obscures the malware delivery process. The researchers were able to deduce more information about the malware payload after identifying the final destination of the redirection chain. This domain is a part of reused phishing infrastructure that has distributed ArechClient malware in the past. The attacker executes an MSBuild file to load and execute ArechClient2 information stealer. This development comes as Microsoft recently observed exploitation of a CLFS zero-day vulnerability that, post-compromise, leveraged an MSBuild file to deploy RansomEXX ransomware. This report from CloudSEK reinforces the importance of only using trusted tools from official websites, educating employees, and implementing some form of browser security on enterprise devices.
Suggested Corrections:
IOCs are available here.
To protect against malicious file converters like the one analyzed in this report, organizations and individuals should:
https://www.cloudsek.com/blog/byte-bandits-how-fake-pdf-converters-are-stealing-more-than-just-your-documents
CloudSEK researchers have uncovered a new campaign exploiting the popularity of PDFCandy[.]com, a widely-used online file conversion tool that is especially popular in India. Per their investigation, which occurred due to the FBI's Denver field office issuing an alert regarding malicious online file converters being used to distribute malware, CloudSEK observed attackers distributing ArechClient2 malware to steal sensitive information like credentials from the browser. ArechClient2 malware is a variant of the SectopRAT family. SectopRAT family malware has been actively utilized in attacks since at least 2019 and is often seen being distributed through deceptive online advertising via Google Ads or fake software updates. The adversary has created a malicious PDF-to-DOCX converter that impersonates the legitimate service pdfcandy.com. According to CloudSEK, this copycat service meticulously replicates the genuine platform and utilizes similar-looking domains to better deceive potential victims. Upon landing on the fraudulent site, users are prompted to upload a PDF file for conversion, further enhancing legitimacy. After initiating the PDF conversion process, the malicious website employs a CAPTCHA ClickFix technique to trigger the payload. The redirection chain following the PowerShell command is sophisticated and the actual endpoint domain is known to host SectopRAT.
Security Officer Comments:
The meticulously crafted user flow on the fraudulent website demonstrates the adversary’s familiarity with web design conventions and by relying on their understanding of human psychology, they help emphasize the sophisticated nature of this phishing attack. The transition from social engineering to system compromise is a critical point in the attack chain, as this user interaction is paramount to the campaign’s success. The sophisticated redirection chain further obscures the malware delivery process. The researchers were able to deduce more information about the malware payload after identifying the final destination of the redirection chain. This domain is a part of reused phishing infrastructure that has distributed ArechClient malware in the past. The attacker executes an MSBuild file to load and execute ArechClient2 information stealer. This development comes as Microsoft recently observed exploitation of a CLFS zero-day vulnerability that, post-compromise, leveraged an MSBuild file to deploy RansomEXX ransomware. This report from CloudSEK reinforces the importance of only using trusted tools from official websites, educating employees, and implementing some form of browser security on enterprise devices.
Suggested Corrections:
IOCs are available here.
To protect against malicious file converters like the one analyzed in this report, organizations and individuals should:
- Use only trusted, reputable file conversion tools from official websites rather than searching for "free online file converters".
- Implement robust technical controls, including:
- Keep antivirus or anti-malware software updated and scan all downloaded files before opening
- Deploy endpoint detection and response (EDR) solutions to detect suspicious behaviors
- Utilize DNS-level traffic filtering to block known malicious domains
- Consider browser extensions that block malicious sites
- Verify file types beyond just extensions, as malicious files often masquerade as legitimate document types.
- Implement content disarm and reconstruction (CDR) technology to remove potentially embedded threats from documents.
- Establish file upload restrictions in corporate environments, including limiting allowed file types and maximum file sizes.
- Educate users to recognize warning signs of malicious converters, such as:
- Requests to run PowerShell or command-line instructions
- Suspicious URLs that mimic legitimate services with slight variations
- Unexpected captcha verifications or additional downloads
- Develop and regularly test incident response plans to quickly address infections when they occur.
- Consider using offline conversion tools that don't require uploading files to remote servers.
- If a system is potentially compromised:
- Immediately isolate the affected device
- Change all passwords using a clean device
- Contact financial institutions to protect accounts
- Report the incident to the appropriate authorities
https://www.cloudsek.com/blog/byte-bandits-how-fake-pdf-converters-are-stealing-more-than-just-your-documents