Infected PDF's

The Turla threat group, certainly Russian-speaking and widely attributed to Russian intelligence services, is back with a new scary phishing technique. These bad guys are sending emails with a malicious PDF payload that installs a hidden backdoor in the workstation.

The backdoor is a standalone dynamic link library that's able to install itself and interact with Outlook and other email clients. It exfiltrates data through email, which means that it evades detection by many commonly used data loss prevention products. The stolen data is enclosed in a PDF container, which also looks unproblematic to many security solutions.

Researchers who've tracked this latest evolution of Turla warn, there's no command-and-control server that can be taken down - the malware can be completely controlled via email, the data exfiltration can look entirely legitimate, and the ways in which the campaign modifies standard functions make it a stealthy and tough-to-eradicate infection.

The purpose of this malware is monitor to all incoming and outgoing emails from infected systems and to gather info about the sender, recipient, subject, and attachment name (if any). That data is then organised into logs that are sent to Turla operators.

The Outlook backdoor also checks all incoming email for PDFs that might contain commands from the attackers. It will accept commands from ANY threat actor that is able to encode them in the right format in a PDF document.

If the email address to which the malware typically transmits stolen data is blocked, the hacker can recover control of the backdoor simply by sending a rogue PDF with a new C2 address.