These malicious files allow victims’ data collection
Network security and ethical hacking specialists from the International Institute of Cyber Security report the discovery of a malicious campaign that uses PDF documents to exploit a zero-day vulnerability in the built-in tool to view these files in Google Chrome to extract information from users.
A cybersecurity firm discovered these PDF documents, stating that they establish contact with a remote domain that stores the extracted information, such as the victim’s IP address, operating system version, browser version and PDF path stored on the computer.
Network security specialists claim that the attack is only presented in Chrome, as they tried to open these PDF documents in tools such as Adobe Reader and the connection between the remote domain and the file was not presented. According to experts, there are two different sets of PDF exploiting this vulnerability; it is believed that these files started circulating since October 2017.
During the investigation it was discovered that the first group of malicious PDF files has sent data from the user to a domain registered as “readnotify.com”, whereas, according to the investigators, the second group of files sent the information to the address “Zuxjk0dftoamimorjl9dfhr44vap3fr7ovgi76w.burpcollaborator.net”.
Although network security experts did not find additional malicious code in these files, they note that this information gathering campaign might be useful in detailing the profiles of potential victims of future cyberattacks.
However, security expert Patrick Warder mentions that these documents were not designed as malicious content, even though they exploit vulnerability in Chrome. The expert claims that these files were assembled using a service called PDF tracking, which allows to track the activity related to a PDF, in addition, this feature exists since 2010.
So far this is all that is known about these PDF files. It is not known whether they were designed by a group of hackers, whether they are part of a series of tests, or whether they were intended for a legitimate purpose.
The experts who discovered these files mention that they notified Google about the vulnerability at the end of last year. The company later acknowledged that it was zero-day vulnerability, and pledged to correct it no later than April 2019.
The experts who discovered these files mention that they notified Google about the vulnerability at the end of last year. The company later acknowledged that it was a zero-day vulnerability and pledged to correct it no later than April 2019.
“We decided to disclose our research before the update is launched because we believe it is necessary for the potential affected to be aware of the risk, and it is still a couple of months before the vulnerability is corrected, so many users are still exposed,” the experts added.
Specialists recommend using tools like Adobe Reader to view PDF files, as well as interrupting the Internet connection while viewing a PDF in Google Chrome as measures to mitigate risks.