Attackers using the Snake keylogger malware for Windows are emailing malicious PDFs with embedded Word documents to infect victims’ PCs and steal information.
Malicious PDFs are an unusual tool to use today because attackers prefer Office formats like Word and Excel which are more familiar to PC users, according to threat analysts at HP’s Wolf Security who recently discovered the PDF malware campaign.
The malicious PDF was used to infect PCs with Snake, a keylogger and credential stealer which was first spotted in late November 2020, according to HP.
The attackers sent email with an attached PDF document named “REMMITANCE INVOICE.pdf” with an embedded Word document named “has been verified. However PDF, Jpeg, xlsx, .docs”.
The reason for choosing this odd and actually rather sneaky file name for the Word document becomes clear when viewing the prompt that Adobe Reader displays when checking whether the user approves opening this file.
The prompt reads: “The file ‘has been verified. However PDF, Jpeg, xlsx, .docs’ may contain programs, macros, or viruses that could potentially harm your computer.”
An employee who hastily reads the notice could mistakenly understand that the file in question has been verified and is safe to