In a new wave of cyber threats, counterfeit installers for Adobe Acrobat Reader are being exploited to disseminate a multi-functional malware known as Byakugan.
The attack commences with a PDF file, primarily in Portuguese. Upon opening, it displays a blurred image, prompting the user to download the Reader application via a provided link to view the content.
As per the analysis by Fortinet FortiGuard Labs, clicking the URL triggers the delivery of an installer ("Reader_Install_Setup.exe") that initiates the infection process. The details of this campaign were initially disclosed by the AhnLab Security Intelligence Center (ASEC) in the previous month.
The attack chain employs techniques such as DLL hijacking and Windows User Access Control (UAC) bypass to load a malicious dynamic-link library (DLL) file named "BluetoothDiagnosticUtil.dll". This, in turn, releases the final payload and also deploys a legitimate installer for a PDF reader like Wondershare PDFelement.
The binary is designed to collect and export system metadata to a command-and-control (C2) server and drop the main module ("chrome.exe") from a different server that also serves as its C2 for receiving files and commands.
"Byakugan is a node.js-based malware packed into its executable by pkg," stated security researcher Pei Han Liao. "In addition to the main script, there are several libraries corresponding to features."
- Setting up persistence
- Monitoring the victim's desktop using OBS Studio
- Capturing screenshots
- Downloading cryptocurrency miners
- Logging keystrokes
- Enumerating and uploading files
- Extracting data stored in web browsers
"There is a growing trend to use both clean and malicious components in malware, and Byakugan is no exception," observed Fortinet. "This approach increases the amount of noise generated during analysis, making accurate detections more difficult."
This disclosure follows the revelation by ASEC of a new campaign that spreads the Rhadamanthys information stealer under the disguise of an installer for groupware. "The threat actor created a fake website to resemble the original website and exposed the site to the users using the ad feature in search engines," the South Korean cybersecurity firm noted. "The malware in distribution uses the indirect syscall technique to hide from the eyes of security solutions."
Furthermore, it has been discovered that a manipulated version of Notepad++ is being used by unidentified threat actors to propagate the WikiLoader malware (aka WailingCrab).