Hackers Use Weaponized PDF Files to Deliver Byakugan Malware on Windows

Due to their high level of trust and popularity, hackers frequently use weaponized PDF files as attack vectors.

Even PDFs can contain harmful codes or exploits that abuse the flaws in PDF readers.

Once this malicious PDF is opened by a user unaware of it, the payload runs and infiltrates the system.

Cybersecurity researchers at Fortinet recently identified that hackers have been actively using weaponized PDF files to deliver Byakugan malware.

Free Webinar forDIFR/SOC Teams: Securing the Top 3 SME cyber Attack Vectors - Register for Free

Technical analysis

FortiGuard Labs discovered a Portuguese PDF file distributing the multi-functional Byakugan malware in January 2024.

The malicious PDF tricks people into clicking a link by presenting a blurred table.

This in turn activates a downloader that puts a copy (requires.exe) and takes down DLL for DLL-hijacking.

This runs require.exe to retrieve the main module (chrome.exe). In particular, the downloader behaves differently when called require.exe in temp because malware evasion is evident.

Infection flow (Source - Fortinet)
Infection flow (Source – Fortinet)

A blurred table is displayed on the victims’ screens, prompting them to click a link that enables them to download a DLL for DLL-hijacking and drop a copy (require.exe) that starts a downloader. 

Document
Run Free ThreatScan on Your Mailbox

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

To fetch the main module (chrome.exe), require.exe is run.

However, its behavior slightly varies depending on whether it has been renamed or not while being placed in the temp folder, which signifies its evasiveness.

The login page (Source - Fortinet)
The login page (Source – Fortinet)

This is a node.js malware package that can be executed using pkg. It contains the main script and a few feature libraries.

According to a Fortnet report shared with Cyber Security News, downloading additional files from the %APPDATA%ChromeApplication folder, which is malware-generated data, also demonstrates its adaptability and persistence.

Byakugan features

Here below, we have mentioned all the features of Byakugan:-

  • Screen monitor
  • Screen capture
  • Miner
  • Keylogger
  • File manipulation
  • Browser information stealer
  • Anti-analysis
  • Persistence

It is part of an increasing trend to merge malicious components in malware, making it hard for them to be accurately identified due to increased noise. 

The downloaded files, though, showed some important things about how Byakugan works inside, making it easier to analyze the harmful modules of the Trojan.

Are you from SOC & DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free 

IoCs

Git repository

  • github[.]com/thomasdev33k
  • github[.]com/fefifojs
  • github[.]com/wonderreader

C2 Server

  • blamefade.com[.]br
  • thinkforce.com[.]be

Files

  • PDF

c7dbb5e9e65a221a5f78328b5a6141dd46a0459b88248e84de345b2a6e52b1d9

c6fe9169764301cadccb252fbed218a1a997922f0df31d3e813b4fe2a3e6326d

c9a27dbae96afb7d083577d30b2947c8ba9d1a6cb7e10e5f259f0929ef107882

  • exe

9ef9bbfce214ee10a2e563e56fb6486161c2a623cd91bb5be055f5745edd6479

4d8eac070b6b95f61055b96fb6567a477dbc335ef163c10514c864d9913d23cb

30991c9cac5f4c5c4f382f89055c3b5e9bb373c98ce6a5516d06db3f8a478554

Balaji N
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.