从PDF到有效载荷：虚假的Adobe Acrobat Reader安装程序分发Byakugan恶意软件

Bogus installers for Adobe Acrobat Reader are being used to distribute a new multi-functional malware dubbed Byakugan.

针对Adobe Acrobat Reader的虚假安装程序被用来传播一种名为Byakugan的新型多功能恶意软件。

The starting point of the attack is a PDF file written in Portuguese that, when opened, shows a blurred image and asks the victim to click on a link to download the Reader application to view the content.

攻击的起点是一份用葡萄牙语编写的PDF文件，当打开时会显示模糊的图像，并要求受害者点击链接下载Reader应用程序以查看内容。

According to Fortinet FortiGuard Labs, clicking the URL leads to the delivery of an installer ("Reader_Install_Setup.exe") that activates the infection sequence. Details of the campaign were first disclosed by the AhnLab Security Intelligence Center (ASEC) last month.

根据Fortinet FortiGuard Labs的说法，点击URL会导致安装程序("Reader_Install_Setup.exe")的传送，从而激活感染顺序。该活动的详细信息是由AhnLab安全情报中心（ASEC）上个月首次披露的。

The attack chain leverages techniques like DLL hijacking and Windows User Access Control (UAC) bypass to load a malicious dynamic-link library (DLL) file named "BluetoothDiagnosticUtil.dll," which, in turn, loads unleashes the final payload. It also deploys a legitimate installer for a PDF reader like Wondershare PDFelement.

攻击链利用DLL劫持和Windows用户访问控制（UAC）绕过等技术来加载一个名为"BluetoothDiagnosticUtil.dll"的恶意动态链接库（DLL）文件，该文件反过来加载并释放最终的有效载荷。它还部署了一个合法的PDF阅读器安装程序，如Wondershare PDFelement。

The binary is equipped to gather and exfiltrate system metadata to a command-and-control (C2) server and drop the main module ("chrome.exe") from a different server that also acts as its C2 for receiving files and commands.

该二进制文件被设计成收集和外传系统元数据到一个命令控制（C2）服务器，并从另一台服务器下载主模块（"chrome.exe"），该服务器也作为其接收文件和命令的C2。

"Byakugan is a node.js-based malware packed into its executable by pkg," security researcher Pei Han Liao said. "In addition to the main script, there are several libraries corresponding to features."

"Byakugan是一个基于node.js的恶意软件，由pkg打包到其可执行文件中，"安全研究员Pei Han Liao说。"除了主要脚本外，还有一些对应功能的库。"

This includes setting up persistence, monitoring the victim's desktop using OBS Studio, capturing screenshots, downloading cryptocurrency miners, logging keystrokes, enumerating and uploading files, and grabbing data stored in web browsers.

这包括设置持久性、使用OBS Studio监控受害者的桌面、捕获屏幕截图、下载加密货币挖矿程序、记录按键、枚举和上传文件以及获取存储在网络浏览器中的数据。

"There is a growing trend to use both clean and malicious components in malware, and Byakugan is no exception," Fortinet said. "This approach increases the amount of noise generated during analysis, making accurate detections more difficult."

Fortinet表示:"在恶意软件中使用干净和恶意组件的趋势越来越多，Byakugan也不例外。""这种方法增加了分析过程中产生的噪音量，使准确检测变得更加困难。"

The disclosure comes as ASEC revealed a new campaign that propagates the Rhadamanthys information stealer under the guise of an installer for groupware.

此披露是在ASEC披露了一项以群件安装程序为幌子传播Rhadamanthys信息窃取者的新活动之际。

"The threat actor created a fake website to resemble the original website and exposed the site to the users using the ad feature in search engines," the South Korean cybersecurity firm said. "The malware in distribution uses the indirect syscall technique to hide from the eyes of security solutions."

"威胁行为者创建了一个伪造的网站，以模仿原始网站，并利用搜索引擎中的广告功能向用户展示该网站，"韩国网络安全公司表示。"分发中的恶意软件使用间接系统调用技术来躲避安全解决方案的监视。"

It also follows a discovery that a manipulated version of Notepad++ is being employed by unidentified threat actors to propagate the WikiLoader malware (aka WailingCrab).

还有发现，一种被不明威胁行为者利用的操纵版本的Notepad++被用来传播WikiLoader恶意软件（又称WailingCrab）。

参考资料

[1]https://thehackernews.com/2024/04/from-pdfs-to-payload-bogus-adobe.html

关注我们

        欢迎来到我们的公众号！我们专注于全球网络安全和精选双语资讯，为您带来最新的资讯和深入的分析。在这里，您可以了解世界各地的网络安全事件，同时通过我们的双语新闻，获取更多的行业知识。感谢您选择关注我们，我们将继续努力，为您带来有价值的内容。