Shortly
- As a new vector, a malware campaign is using fake PDF-to-DOCX converters.
- The victim is tricked to execute a PowerShell Command, which installs SectopRAT variant Arechclient2.
- This malware is capable of stealing seed phrases, and can tap into Web3 APIs in order to steal assets.
Fake PDF to DOCX Converters are being used by a malware campaign to install malicious PowerShell Commands on computers. These commands allow the attacker to gain access to crypto wallets, hijack credentials for browsers, and steal sensitive information.
CloudSEK Security Research, in response to an FBI warning last month has completed an investigation that reveals details of the attacks.
This attack is designed to get users to execute a PowerShell Command that will install the Arechclient2 Malware, a variation of SectopRAT. SectopRAT belongs to a family of information thieves known for stealing sensitive data.
In order to trick users into thinking that they are safe, malicious sites imitate the legitimate PDFCandy converter, and instead of downloading the software itself, download the malware. This site has loading bars as well as CAPTCHA verification to make users feel more secure.
Ultimately, after several redirects, the victim’s machine downloads an "adobe.zip" file containing the payload—exposing the device to the Remote Access Trojan, which has been active since 2019.
Users are exposed to theft of data, such as browser credentials and wallet details.
Hacken’s Dapp Audit Lead, Stephen Ajayi said that the malware checks extension stores and lifts seeds phrases. It even taps Web3 APIs in order to “ghost-drain” assets after approval. Decrypt.
CloudSEK advised people to use antivirus and antimalware software, and to "Verify file types beyond just extensions, as malicious files often masquerade as legitimate document types."
The cybersecurity firm also advises that users rely on “trusted, reputable file conversion tools from official websites rather than searching for 'free online file converters'," and to consider using “offline conversion tools that don't require uploading files to remote servers."
Hacken’s Ajayi told crypto users: “Trust, like a spectrum of emotions, is earned and not handed out.” You should assume that in cyber security, nothing is ever safe. He said that people should “apply a zero-trust mentality and maintain their security stack, particularly EDR and antivirus tools which can flag anomalous behavior like rogue MSBuild.exe activity.”
Ajayi stated that attackers are constantly evolving, so defenders must also. He added, “Regular Training, Situational Awareness, and Strong Detection Coverage is essential.” Prepare for worst-case scenario, stay skeptical, and have an emergency response playbook at the ready.
