Common Tactics Used by Threat Actors to Weaponize PDFs

In the vast and complex world of cybersecurity, danger often hides in the most unsuspecting corners, stalking stealthily where our guard is least prepared.

While the threats, like timeless adversaries, persistently bear and show no signs of disappearing into anonymity.

Cybersecurity analysts at Trustwave SpiderLabs recently observed an uptick in threat actors using PDFs for email-based initial access, highlighting a growing trend in evasive tactics.

PDF enables consistent text and image display across devices, making it ideal for electronic documents like-

• Resumes
• Manuals
• Invoices
• Forms

Things attract threat actors to PDF

Here below, we have mentioned all the key things that attract the threat actors towards PDF files:-

• Ubiquity
• Trustworthiness
• Difficulty in Detection

Techniques and Methods Used

Here below, we have mentioned all the techniques and methods that threat actors commonly use to weaponize PDF files:-

• Malicious Hyperlinks: A PDF hyperlink is a clickable element that directs users to external resources. Attackers exploit this by embedding malicious links, often leading to phishing or malware, as seen in Qakbot and IcedID campaigns.

• Qakbot: Qakbot’s evolving tactics include using PDFs with disguised malicious links to deliver payloads, often posing as legitimate updates to trick users into downloading malware.

• Actions and JavaScript: PDFs offer interactivity through actions and JavaScript, but attackers can exploit these for malicious purposes, posing security risks.

• PDF Dropper: Researchers found a PDF with JavaScript action launching an embedded Office Document, examined using Didier Stevens’ pdfid tool.

• Vulnerabilities in PDF Reader: Exploiting PDF reader vulnerabilities, like CVE-2021-28550, can grant attackers control over unpatched Adobe Acrobat readers. A decade ago, PDF exploits were widespread, but with the rise of alternative PDF readers and built-in browser support, the threat landscape has shifted, and in-the-wild exploitation has decreased.

• Social Engineering: Threat actors use social engineering to deceive users into opening PDF files, often in fake brand or service emails, aiming to extract sensitive data. These PDFs appear legitimate but serve malicious purposes.

• Call-back Phishing: Cybercriminals use PDF invoice emails from generic, undisclosed senders to create urgency and prompt victims to call for subscription updates, deceiving them.

PDFs remain a top choice for threat actors due to their wide use and cross-platform compatibility, presenting an ongoing opportunity for cybercriminals.

Indicators of Compromise

Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.