Hidden in Plain Sight: PDF Mishing Assault

Government Abstract

As a part of our ongoing mission to determine rising threats to cellular safety, our zLabs crew has been actively monitoring a phishing marketing campaign impersonating the US Postal Service (USPS) which is solely focusing on cellular gadgets. This marketing campaign employs refined social engineering ways and a never-before-seen technique of obfuscation to ship malicious PDF information designed to steal credentials and compromise delicate information.

Background

PDF (Moveable Doc Format) paperwork have develop into an indispensable instrument within the enterprise panorama, providing a common and dependable option to share data throughout platforms and gadgets. Famend for his or her constant formatting, ease of use, and compatibility, PDFs are used extensively for contracts, experiences, manuals, invoices, and different crucial enterprise communications. Their means to include textual content, photos, hyperlinks, and digital signatures whereas sustaining integrity makes them best for enterprises prioritizing professionalism and compliance. As a result of their ubiquitous use and look to be ‘tamper-proof’, customers have developed a pure, however harmful, assumption that every one PDF’s are secure. And now, cybercriminals are actively exploiting that false confidence.

The widespread use of PDFs is introducing important safety dangers to the enterprise, notably when focused to cellular gadgets. PDFs have develop into a typical vector for phishing assaults, malware, and exploits as a result of their means to embed malicious hyperlinks, scripts, or payloads. On cellular platforms, the place customers usually have restricted visibility into file contents earlier than opening, these threats can simply bypass conventional safety measures. The portability and accessibility that make PDFs so priceless additionally signifies that delicate information will be inadvertently uncovered if correct protections are usually not in place. With out strong cellular menace protection mechanisms, notably on-device scanning, enterprises face the chance of knowledge breaches, credential theft, and compromised workflows through seemingly innocent PDF information.

Findings

The investigation into this marketing campaign uncovered over 20 malicious PDF information and 630 phishing pages, indicating a large-scale operation. Additional evaluation revealed a malicious infrastructure, beginning with touchdown pages designed to steal information, that would probably influence organizations throughout 50+ nations. This marketing campaign employs a fancy and beforehand unseen approach to cover clickable components, making it tough for many endpoint safety options to correctly analyze the hidden hyperlinks.

On this weblog, we’ll element this progressive evasion approach and reveal how Zimperium’s Cellular Menace Protection (MTD) resolution successfully detects malicious information leveraging such strategies, offering important safety in opposition to these evolving PDF and mishing threats.

Composition of the Mishing Marketing campaign  

There was a big enhance in mishing campaigns total, with PDFs now rising as a notable assault vector used to use cellular customers. This tactic leverages the notion of PDFs as secure and trusted file codecs, making recipients extra more likely to open them. One such marketing campaign we noticed is delivered via SMS messages and features a PDF file containing a malicious hyperlink (Fig. 1). The unique PDF pattern analyzed by our zLabs crew options misleading textual content designed to redirect customers to a fraudulent web site, aiming to steal delicate data. Notably, the PDF employs an unconventional approach to embed the malicious hyperlink, permitting it to bypass detection by quite a few endpoint safety options. This technique highlights the evolving ways of cybercriminals, who exploit each trusted file codecs and superior evasion strategies to deceive customers and compromise their information.

Introduction to PDF Format

As talked about earlier, the PDF offers a dependable, platform-independent option to current paperwork, making certain constant show throughout numerous working techniques and software program environments. PDFs can incorporate a variety of content material, together with textual content, photos, hyperlinks, video, 3D fashions, interactive types, and extra.

The construction of a PDF is hierarchical and consists of 4 foremost elements: the header, physique, cross-reference desk, and trailer. The header defines the PDF model used within the doc. The physique accommodates the objects that define the doc’s format and construction. These objects, which might reference one another, embody:

• Names: Used for assigning distinctive identifiers.
• Strings: Symbolize textual content and are enclosed in parentheses (…).
• Arrays: Ordered collections of different objects, delimited by sq. brackets […].
• Dictionaries: Key-value pairs, the place keys are Identify objects and values will be some other object sort. Dictionaries are enclosed in double angle brackets <<…>>.
• Streams: Include embedded information, corresponding to photos or code, which can be compressed. Streams are represented by a dictionary specifying the stream’s size utilizing the /Size key and encoding utilizing /Filters.
• Oblique Objects: Objects with distinctive IDs, outlined by the “obj” and “endobj” key phrases. Different objects can reference them utilizing these IDs.

The cross-reference desk shops the byte offset of every object inside the file, enabling random entry and environment friendly retrieval. Its entries level to the placement of every object. The trailer offers a reference to the cross-reference desk and to the doc’s root object, facilitating correct doc loading by the PDF reader.

Evaluation of the Malicious PDF 

In PDF information, hyperlinks are sometimes represented utilizing the /URI tag. This tag is a part of an Motion Dictionary object, particularly inside a Go-To-URI motion, which instructs a PDF viewer to navigate to a Uniform Useful resource Identifier (URI), often an internet handle (URL).

An instance of a Go-To-URI motion dictionary seems as follows:

The place:

• /Kind /Motion: Identifies this dictionary as an motion.
• /S /URI: Specifies the motion sort as “Go-To-URI”.
• /URI (http://www.instance.com): Comprises the precise URI string. The URI is enclosed in parentheses.

The PDFs used on this marketing campaign embed clickable hyperlinks with out using the usual /URI tag, making it tougher to extract URLs throughout evaluation. Our researchers verified that this methodology enabled recognized malicious URLs inside PDF information to bypass detection by a number of endpoint safety options. In distinction, the identical URLs had been detected when the usual /URI tag was used. This highlights the effectiveness of this system in obscuring malicious URLs.

Catalog object

The evaluation of the malicious PDF started with the Catalog object (Fig. 2), which is prime to a PDF file’s construction. Appearing because the entry level, it references crucial components like pages, metadata, and descriptions (bookmarks). On this case, the Catalog object pointed to object 2, representing the foundation of the web page tree, a dictionary of sort /Pages. This root defines the hierarchical construction of the doc’s pages.

Pages object

The /Pages object (Fig.3), one other essential a part of the hierarchical construction of a PDF doc, represents the foundation of the web page tree and organizes the person pages of the doc. The /Children entry is an array pointing to youngster objects. Right here, it referenced object 6 0 R, representing a selected web page inside the PDF doc. Every web page is outlined by a Web page object, which outlines its contents, assets, and format. Among the key attributes of a Web page object are:

• /MediaBox: Defines the dimensions of the web page.
• /Contents: References the content material stream object(s) that describe the textual content, photos, and graphics to be displayed on the web page.
• /Sources: Comprises references to all of the assets (e.g., fonts, photos, graphics states) required by the content material on the web page. 

The Web page object on this PDF (Fig. 4) contained a number of assets, together with two XObjects. The /XObject entry (Exterior Object) acts as a repository for exterior objects that may be reused inside the content material stream. These objects are primarily reusable content material components, like photos, types (Kind XObjects), or PostScript fragments. On this case, the XObjects referenced two photos (Fig. 5).

Font object

One other object referenced from the /Web page object is the /Font object (Fig. 4). 

Font objects outline typefaces and embody data like encoding and font information to make sure correct textual content rendering. This object utilized the /ToUnicode attribute, pointing to object 12, which mapped character codes to Unicode values. This mapping enabled exact textual content extraction and search by correlating Character IDs (CIDs) with their Unicode equivalents. On this case the stream accommodates the map proven in Fig. 6.

The Character IDs (CIDs) from the desk above can be found for use in object 6 (the /Web page object). 

Object 6 defines numerous assets and references a further object, object 7, as its content material supply. Object 7 is a stream object compressed utilizing the Flate algorithm, requiring decompression (“deflation”) earlier than its contents will be examined. 

Decompression of the stream reveals the underlying components, particularly describing the web page’s graphical and textual operations, as illustrated within the accompanying picture Fig.8.

This stream holds the construction utilized by PDF readers to render hyperlinks and textual content. Some textual content, corresponding to “Textual content 3,” is probably not instantly seen, as depicted in Fig. 7. Decompressing the stream reveals the underlying elements, detailing the graphical and textual operations of the web page, as proven in Fig. 8. The stream contains PDF content material operators, which instruct the viewer on easy methods to render the web page’s content material. Amongst these, the hyperlink related to the “Textual content 3” object is embedded, permitting it to be clickable regardless of the textual content itself being hidden. Whereas numerous operators are used, the Tj operator is usually employed to show textual content strings, directing the viewer to render the desired textual content.

The operators used to create hidden, clickable textual content are as follows:

• BT and ET: Start and finish a textual content object.
• 1 1 1 RG: Units the stroke shade to white.
• 1 1 1 rg: Units the fill shade to white.
• Tf: Units the font and font dimension, on this case /FT11 281 Tf (FT11 is asserted within the obj 11 defined above)
• Tm: Units the textual content matrix,
• Tj: Reveals a textual content string
• TD: Strikes the textual content place.

The Tj operator is usually used to show textual content strings enclosed in parentheses. On this case, it makes use of a font named /FT11, outlined in object 11. This particular font makes use of the beforehand described character mapping scheme to obscure the precise URL, “https[:]//jytdnuspsjrf[.]com/replace/,” inside the displayed textual content.

This obfuscation approach is additional enhanced by putting object 16 (an XObject) in the midst of the written URL, creating the looks of a clickable button. Whereas this methodology is efficient in sure PDF viewers, corresponding to Chrome and macOS Preview, it might not operate in others, just like the default Ubuntu Linux viewer (Evince). Right here, the hidden textual content serves as a set off for the clickable space outlined by the XObject.

Touchdown Web page

Upon clicking the “Click on Replace” button, the consumer was redirected to a USPS phishing webpage (Fig. 9) that simulated a supply concern.

Customers had been prompted to supply private particulars, together with title, handle, e mail, and cellphone quantity (Fig. 10).

Upon clicking the “Replace Instantly” button (Fig. 11), a subsequent type requested additional data, the place the entered information was packaged up, encrypted, and transmitted to a malicious Command and Management (C&C) server whereas additionally being saved domestically within the consumer’s browser.

An evaluation of the malicious webpage’s JavaScript code revealed that the native storage keys had been MD5 hashes of variable names. The values had been JSON objects containing the sufferer’s submitted data, encrypted utilizing the Rabbit stream cipher. This saved information enabled the attackers to determine whether or not a consumer had already accomplished the primary type, permitting them to bypass it if the data was already current.

Moreover, to confirm the validity of the supplied bank card particulars, the malicious JavaScript leverages the API from the exterior service https://binlist.internet/.

An evaluation of the captured community site visitors (Fig. 12) confirmed that the info was encrypted utilizing the Rabbit stream cipher. Notably, separate keys had been utilized for encrypting requests and decrypting server responses. The important thing “magicCat-response” was employed for decrypting responses, whereas “magicCat-request” was used for decrypting requests.

Lastly, evaluation of the webpage revealed multilingual help, indicating the attackers’ means to focus on a variety of nations and providers to reap confidential consumer information. This degree of localization suggests this can be a part of a phishing package. The supported languages embody:

Zimperium vs. Phishing and Malicious PDFs

Zimperium offers enterprises with strong safety in opposition to malicious PDFs, together with these containing phishing hyperlinks, via its superior cellular safety options. Leveraging its distinctive on-device AI-based detection engine, Zimperium can determine malicious PDFs and embedded phishing hyperlinks in actual time, even when gadgets are offline. By analyzing PDFs straight on the gadget, Zimperium ensures that privateness isn’t compromised, as no delicate information is shipped to the cloud for evaluation.

With Zimperium, enterprises acquire a complete protection in opposition to evolving PDF-based assaults, together with refined phishing campaigns and zero-day exploits. This method not solely protects delicate information and techniques but in addition ensures consumer privateness, enabling organizations to take care of safety, productiveness, and compliance in an more and more hostile menace panorama.

IOCs

The IOCs for this marketing campaign will be discovered right here.