PDF’s, portable Document Format, have long been a staple of business. They’re easy to create, difficult to edit and work on any platfrom, from Mac to Windows to Linux. These traits, along with it really being the first cross-platform format when it was first introduced make it an industry standard for transacting documents. PDF’s are the de facto standard, and ubiquitous.
It’s no wonder that they are also a favorite of hackers to drop a payload on an unsuspecting victim!
Last week it was reported by DarkReading that the Russian-speaking Turla threat group, widely considered to be affiliated with, if not an outright extension of Russian intelligence services, has crafted a PDF payload that is stand-alone, meaning it can operate without the need of a controlling server. Effectively, the are sending emails with a PDF attachment that is infected with their malicious payload. It then installs a hidden backdoor on the workstation and notifies Turla. From there they can get in and exfiltrate data without anyone even knowing, unless of course you’ve employed Network Level Monitoring or have Firewall monitoring.
Even then if you’re not monitoring it regularly you won’t notice subtle changes in bandwidth or traffic flow.
The backdoor payload they deliver is a standalone DLL (dynamic link library) that installs itself. It then interacts with your email client, Outlook or Thunderbird to name a few, to exfiltrate data. What this means is that it circumvents most DLP (data loss prevention products) and evades anti-malware detection.
“How can they do that?” you say. The DLL “wraps” the stolen data to look like another PDF document, which are typically considered not to be a problem by many security solutions employed.
Turla’s backdoor monitors for all email traffic, incoming and outgoing, of the infected system. It collects the messages metadata, such as sender, recipient, subject, and attachment name, if there is an attachment, into logs. Then those logs are bundled together into a PDF document and sent to Turla operators by email as an attachment. These are bundled and sent periodically.
Even more nefariously, and why this is such a potentially devastating piece of malware, the backdoor for Outlook will also check all incoming email for a PDF attachment from the Turla group. Those attachments contain commands from the attackers to execute on the compromised system. This removes the traditional command-and-control server hackers use to ply their trade and what authorities target to shut them down!
And if you (or your anti-malware flavor of the month) block the malicious email address from getting into your email, they can simply send an infected payload from another address they quickly set up containing the commands.
There’s lack of a command-and-control server means that the malware can be completely controlled through email, making it difficult, if not impossible to shut them down.
Wrapping the exfiltrated data as a PDF means traditional anti-malware or DLP systems won’t catch the theft as outbound PDF’s are considered legitimate.
Using email to exfiltrate data means that most next-generation endpoint protections won’t be very effective since email traffic is normal behavior and looks entirely legitimate.
This truly is the nightmare scenario many security professional have talked or thought about, and one you do NOT want to fall victim to.
The most secure way to mitigate, if not prevent this is security awareness training and on-going refreshers to keep your team aware of what to be on the lookout for.