These malicious files allow victims’ data collection
Network
security and
ethical hacking specialists from the International Institute of Cyber Security
report the discovery of a malicious campaign that uses PDF documents to exploit
a zero-day vulnerability in the built-in tool to view these files in Google
Chrome to extract information from users.
A cybersecurity firm discovered these PDF
documents, stating that they establish contact with a remote domain that stores
the extracted information, such as the victim’s IP address, operating system
version, browser version and PDF path stored on the computer.
Network security specialists claim that the
attack is only presented in Chrome,
as they tried to open these PDF documents in tools such as Adobe
Reader and the connection between the remote domain and the file was
not presented. According to experts, there are two different sets of PDF
exploiting this vulnerability; it is believed that these files started
circulating since October 2017.
During the investigation it was discovered that
the first group of malicious PDF files has sent data from the user to a domain
registered as “readnotify.com”, whereas, according to the investigators, the
second group of files sent the information to the address “Zuxjk0dftoamimorjl9dfhr44vap3fr7ovgi76w.burpcollaborator.net”.
Although network security experts did not find
additional malicious code in these files, they note that this information
gathering campaign might be useful in detailing the profiles of potential
victims of future cyberattacks.
However, security expert Patrick Warder
mentions that these documents were not designed as malicious content, even
though they exploit vulnerability in Chrome. The expert claims that these files
were assembled using a service called PDF tracking, which allows to track the
activity related to a PDF, in addition, this feature exists since 2010.
So far this is all that is known about these
PDF files. It is not known whether they were designed by a group of hackers,
whether they are part of a series of tests, or whether they were intended for a
legitimate purpose.
The experts who discovered these files mention
that they notified Google about the vulnerability at the end of last year. The
company later acknowledged that it was zero-day vulnerability, and pledged to
correct it no later than April 2019.
The experts who discovered these files mention
that they notified Google about the vulnerability at the end of last year. The
company later acknowledged that it was a zero-day vulnerability and pledged to
correct it no later than April 2019.
“We decided to disclose our research before the
update is launched because we believe it is necessary for the potential
affected to be aware of the risk, and it is still a couple of months before the
vulnerability is corrected, so many users are still exposed,” the experts
added.
Specialists recommend using tools like Adobe
Reader to view PDF files, as well as interrupting the Internet connection while
viewing a PDF in Google Chrome as measures to mitigate risks.
