Phishing Campaign Targets “Convert Word to PDF” Websites

By /

Listen to this Post

🚨 Overview 🚨
Cyber attackers are exploiting the popularity of online file conversion tools by launching phishing campaigns targeting users seeking to convert Word documents to PDF. Here’s how the attack unfolds:

  1. Bait and Switch:
    Attackers lure victims to legitimate-looking websites offering free PDF conversion tools.
  2. Malicious Download:
    Users are tricked into downloading an executable file, seemingly a PDF converter.
  3. Hidden Threats:
    The downloaded executable contains embedded suspicious PowerShell scripts, potentially compromising the user’s device.

🔍 Analytics

The websites involved in this campaign, such as pdfrun[.]online and pdfruns[.]com, are designed to mimic genuine services, adding credibility to the attack. Upon analysis, the executable files downloaded from these sites:

  • Contain obfuscated PowerShell commands.
  • Attempt to establish connections to external C2 servers.
  • Could exfiltrate sensitive data or drop additional malware on the victim’s system.

File Hash Analysis:

  • SHA-256: b1610db4a17ec0995851a89b09da1184ab70365063646224daa6f501f542d8f7
  • SHA-256: e93755ffe3c4efc6be798279e8f5f0f1b4161557402995f7ec5c36e42a1a575e

The files exhibit high detection rates on sandboxing platforms, flagging them as potential threats.

🔴 What Undercode Says

According to Undercode, campaigns like these highlight the importance of cybersecurity awareness:

  • Trust but Verify: “Always scrutinize websites offering free tools, especially when they require downloads.”
  • Adopt Safe Practices: “Opt for web-based tools without downloads or use trusted offline software from verified vendors.”
  • Incident Reporting: “If you suspect a phishing attempt, report it immediately to relevant authorities and ensure your systems are scanned for infections.”

🔺 Indicators of Compromise (IOCs):

  • Websites:
    • pdf-run-website[.]pages[.]dev
    • pdfrun[.]online
    • pdfruns[.]com
  • Malicious File Hashes:
    • b1610db4a17ec0995851a89b09da1184ab70365063646224daa6f501f542d8f7
    • e93755ffe3c4efc6be798279e8f5f0f1b4161557402995f7ec5c36e42a1a575e

🛡️ Stay Safe:

  • Always verify the source of tools before downloading.
  • Use robust endpoint security solutions to detect malicious scripts.
  • Educate yourself on identifying phishing campaigns.

Stay vigilant, stay safe!

References:

Linkedin, Redit

Explore More: