- At least five Google Ads campaigns drove and promoted spoofed software
- Any Trojanized different PDF editors to deliver infostealers
- Defenders warn of manipulation manager -infosTealing malware
Be careful when downloading a program called “Appsuite PDF editor” – there are poisoned variants circulating around the web.
At the end of June, security researchers saw that threatec saw more sites, all falsified the program published. At the same time, at least five different Google Ads campaigns were set up to promote the websites.
Therefore, the one searching for ‘Appsuite PDF editor’ could have ended up in one of the many places serving a Trojanized version of the app. Those who downloaded it would get the usual installation process, and user license agreements pray in the foreground, while an infoTeals and back door called Tamper’s chief of the background was deployed.
PDF editors filled with malware
What makes this malware particularly creepy is the misleading delay that it works with. It will wait for about 56 days before activation, most likely to give threat actors enough time to distribute infoTeals to as many victims as possible before being discovered by the defenders.
“The length from the start of [ad] Campaign until the malicious update was also 56 days, which is close to 60-day length of a typical Google commercial campaign suggesting that the threat actor lets the ad campaign run his course and maximize downloads before activating the malicious features, “Truesec said.
In the meantime, it will achieve persistence through Windows registration database changes and will create various planned tasks. Once enabled, manipulated chief can collect browser credentials, session cookies and other sensitive data, mostly by completing browser processes and utilizing the Windows Data Protection API (DPAPI).
It also performs System Reconnaissance to detect which antivirus or malware protection tools, the victim runs, and can act as a back door to implement additional malware.
Appsuite is also not the only PDF editor to be falsified in this campaign. PDF Onstart and PDF editor has all been observed abused in the same (or adjacent) campaign.
Via Hacker the news
