LinkedIn and Malicious Payloads

Posted by:

Caleb Schramek

|

On:

|

, , ,

Do you use LinkedIn? If you’re reading this post, then the likely answer is yes! Have you heard of the new scam threat actors use to deliver malware through your messages?

Picture this… You are an HR representative for your company, and you use LinkedIn to help with recruiting. One day, you received a message from a person stating that they had attempted to apply for a position with your company and made it through the entire interview process, but were now being asked to pay for a software license. This seemed odd to the person, which is why they are reaching out to you to confirm the legitimacy. Inside that message, they also included PDFs of the different paperwork, email addresses, and names of the people they had been working with.

The recipient of the message was instantly suspicious, whereas someone else may not have been; however, they noticed some inconsistencies in what the sender was asking. It seemed like the individual was scammed by fake email addresses and hired under false pretenses by a company.

All these seem legitimate, right? An individual applied for a job and got scammed… wrong. Upon deeper code inspection of the PDFs and opening them in a sandbox, Team Vanir at DefendEdge determined that the PDFs had been injected with malicious code that put devices in a reboot loop. Meaning the supposed victim was actually the scammer phishing for information and trying to cause harm to the companies’ systems.

Why is this important? Rebooting doesn’t sound so bad, right? You can finally get all those Windows updates taken care of! The consequences of a forced reboot can be major for any company. Imagine this scenario for a second: the user opens the message and documents, then the code executes and traverses across the entire company network. All the infected devices would be rendered useless because you wouldn’t be able to stop the code from executing repeatedly until the system shuts down from being overloaded with restarts. This scenario could be crippling a company’s network and business operations.

We’ve provided our in-depth analysis of one malicious and one non-malicious PDF on the following paragraphs.

Suspected Malicious PDF:

Analysis Summary – This PDF file displayed suspicious behavior, attempting to bypass security filters and send data secretly. It created and deleted system files, suggesting hidden actions, and altered settings to maintain access. The behavior matches known security vulnerabilities in Adobe Acrobat, posing a significant risk. Immediate containment and analysis are recommended.

Behavioral Analysis – The files exhibited behavior commonly associated with harmful software.

Unusual Network Activity

  • The PDFs attempted to use a secure version of Google’s public DNS service, a method often used by harmful software to bypass standard security filters.
  • The files are connected to specific online addresses using encrypted communication, which could indicate an attempt to secretly send or receive data.
  • Certain unique fingerprints associated with encrypted web traffic were detected. These have been linked to known harmful software, further raising concerns.

Suspicious File Activity

  • The file created temporary system files and made changes to the computer’s internal settings, actions often linked to hidden threats.
  • Files were written in system directories where standard PDF documents typically wouldn’t store information. This suggests an attempt to run unauthorized actions within the PDF software.
  • Some newly created files suggest the documents were preparing to install or trigger additional hidden components.
  • Certain files were deleted immediately after execution, which could be an effort to erase traces of their activity and avoid detection.

Unusual Program Execution and System Changes

  • The PDF viewer software launched multiple additional processes, some of which are commonly linked to attempts to take advantage of security gaps.
  • Commands that modified system functions were executed, potentially allowing continued access even after the document was closed.

Indicators of Compromise (IOCs)

  1. Suspicious Files Created

The following files were found in unusual locations, indicating potential malicious activity:

  • Temporary & Log Files:
    • C:\Users\<USER>\AppData\Local\Temp\NGClient_AcrobatReader123.8.20533.6.log
    • C:\Users\<USER>\AppData\Local\Temp\acroNGLLog.txt
  • Dropped Payloads:
    • C:\Users\<USER>\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG
    • C:\Users\<USER>\AppData\LocalLow\Adobe\Acrobat\DC\SOPHIA\Reader\Files\DC_READER_RHP_Banner
    • C:\Users\<USER>\AppData\LocalLow\Adobe\Acrobat\DC\SOPHIA\Reader\Files\Edit_InApp_Aug2020

2. Registry Modifications (Persistence)

Changes to system registry settings suggest an attempt to maintain persistence and cover tracks:

  • Modified Registry Keys:
    • HKEY_CURRENT_USER\SOFTWARE\Adobe\Adobe Acrobat\DC\AVGeneral\AcrobatUpsellTracking
    • HKEY_CURRENT_USER\SOFTWARE\Adobe\Acrobat Reader\DC\AVGeneral\RecentFiles
    • HKEY_LOCAL_MACHINE\SYSTEM\Acrobatbrokerserverdispatcher (Not a known Adobe service, indicating possible malware persistence.)
  • Deleted Registry Keys (Covering Tracks):
    • HKEY_LOCAL_MACHINE\SYSTEM\Acrobatbrokerserverdispatcher789

3. Exploit Indicators

The file’s behavior suggests it may exploit vulnerabilities in Adobe Acrobat Reader, with potential attack methods including:

  • JavaScript-Based Exploits:
    • AcroCef activity suggests embedded JavaScript execution.
    • Possible vulnerabilities:
      • CVE-2018-4990 (JavaScript execution within PDFs).
      • CVE-2021-28550 (Use-after-free vulnerability in Acrobat DC).
  • Privilege Escalation & Persistence:
    • System registry modifications indicate an attempt to maintain long-term control.
  • Network-Based Communication:
    • Use of Google DNS-over-HTTPS (DoH) suggests potential data exfiltration or Command-and-Control (C2) activity.

Assessment: High Risk of Malicious Activity

Several warning signs strongly indicate that these PDF files are harmful:

  • They exhibit unusual execution behavior, including triggering additional background processes.
  • They create and delete files in a way that suggests hidden operations.
  • They alter system settings to maintain access.
  • Their communication methods match those used by known harmful software.
  • They show signs of taking advantage of security weaknesses in PDF software.

Final Verdict: Highly Suspicious / Likely Malicious

  • The PDF file shows multiple signs of being a potential threat, likely attempting to exploit weaknesses in widely used PDF software.
  • The file’s ability to alter settings and remain on the system suggests it could pose a long-term risk.
  • Immediate action is recommended: The file should be tested in a controlled security environment to confirm its intent before being opened on any device.

Not Malicious PDF

Overview – We created a PDF that included a web address to DefedEdge website, an image, and some text. We ran the same analysis that was done on the other documents, and below is the report, just like the other PDFs.

Analysis Summary – The PDF file does not exhibit malicious behavior but performs several system interactions typically associated with Adobe Acrobat. It modifies files, writes cache data, and interacts with the Windows registry. However, it does not contain embedded scripts, exploits, or unauthorized network communication.

Behavioral Analysis—The file does not exhibit behavior associated with any exploit-based malware.

Network Activity

  • The PDF requested a DNS resolution to acroipm2.adobe.com, a legitimate Adobe service.
  • A connection was observed to www.defendedge.com, a known cybersecurity company.
  • No signs of encrypted C2 traffic, data exfiltration, or suspicious TLS fingerprints were detected. Suspicious File Activity
  • The file created and modified multiple temporary and cache files, a common behavior in document processing:

o   C:\Users\\AppData\Local\Adobe\Acrobat\DC\UserCache.bin o C:\Users\\AppData\LocalLow\Adobe\Acrobat\DC\Connectors\icon 2503162343292-396.bmp

  • A file named SOPHIA.json was placed in the Acrobat Reader directory, which is unusual but not inherently malicious.
  • The file deleted temporary cache data after execution, a part of standard Adobe Reader operations.

Program Execution and System Modifications

  • The Acrobat Reader process launched multiple AcroCEF instances, which is typical but can be exploited by malicious PDFs.
  • The PDF executed system interactions, including:
    • Opening registry keys associated with Adobe and Windows Internet settings.
    • Setting new registry values in Acrobat Reader, potentially for configuration adjustments.
    • Creating mutex locks (Global\Acro Update Mutex), often used to prevent multiple instances of a program from running simultaneously.

Indicators of System Interactions (IOCs)

  1. Suspicious Files Created

The following files were written, deleted, or modified:

  • Temporary and Cache Files:
    • C:\Users\\AppData\Local\Adobe\Acrobat\DC\UserCache.bin o C:\Users\\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Reader\Files\TEST ING
  • Dropped Cache Files:
    • C:\Users\\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache Registry Modifications
  • Opened Registry Keys: The PDF interacted with Adobe-related registry keys, though none indicate unauthorized persistence mechanisms.
    • HKEY_CLASSES_ROOT\AcroExch.Document.DC\shell\Open\command\0x0 o HKEY_CLASSES_ROOT\Software\Adobe\Acrobat\MURD
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  • Set Registry Keys (Likely Acrobat Settings Adjustments):
    • Software\Adobe\Acrobat Reader\DC\DLLInjection\BlockDLLInjection
    • Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
  • Deleted Registry Key (Standard Cleanup Behavior):
    • HKEY_LOCAL_MACHINE\System\AcrobatViewerCppF473

2. Exploit Indicators and Potential Attack Methods

While no active exploits were detected, certain behaviors resemble techniques used in past Adobe Acrobat vulnerabilities:

  • JavaScript-Based Exploits (Not Detected)
    • This PDF contains no embedded JavaScript, reducing the likelihood of CVE-2018 4990 or CVE-2021-28550 execution exploits.
  • Persistence via System Modifications (Low Risk)
    • The registry modifications do not indicate malicious persistence.
  • No unauthorized registry keys typically linked to malware were found.
  • Network-Based Communication (Low Risk)
    • The PDF does not attempt to communicate with unknown IPs or bypass security measures.
    • The only observed DNS activity was related to Adobe and a known cybersecurity site.

Assessment: Low Risk of Malicious Activity

  • The PDF does not exhibit behaviors strongly associated with malware, such as:
  • No privilege escalation attempts
  • No JavaScript-based execution or embedded shellcode
  • No suspicious encrypted outbound communication
  • No unauthorized registry persistence mechanisms

Final Verdict: Unlikely Malicious / No Immediate Threat

  • This PDF does not contain malware or known exploits.
  • It interacts with the system in a manner consistent with standard Adobe Acrobat behavior.
  • The file is safe for general use, but as with any document, it should be opened only in a trusted environment.

Posted by

Caleb Schramek

in

Leave a Reply

Your email address will not be published. Required fields are marked *