Microsoft Publisher files spread backdoor to steal corporate data, Bitdefender warns
A targeted spam wave is infecting Windows computers with a backdoor capable of stealing sensitive corporate information from medium and small-sized businesses.
Bitdefender antispam researchers have identified a couple of thousand emails containing .pub attachments posing as orders and invoices for products. The email senders impersonate employees from small and medium-sized businesses from the UK and China, as well as other legitimate companies.
Recipients are advised to open the files with Microsoft Publisher, a paid desktop publishing software application embedded in Microsoft Office 365. It”s commonly used as an editor and layout tool for creating leaflets, postcards, newsletters, e-mail newsletters or greeting cards.
.Pub is not your typical file format to host malware,” says Adrian Miron, Head of Antispam Lab at Bitdefender. “Spammers have chosen it because people don”t usually associate this type of file with the possibility of infection.”
The .pub file contains a script (VBScript) that embeds a URL acting as a remote host. From this location, the malware downloads a self-extracting cabinet file containing an AutoIt script, a tool to run the script and an AES-256 encrypted file. The cyphered file can be decrypted using a key derived from the MD5 of a text written in the AutoIt file, antimalware researchers noticed.
Fig. 1 Deobfuscated VBScript
Fig. 2 Decoded AutoIt script with MD5 for decryption key
Once the file is decrypted and installed, attackers have backdoor access and can control resources on the compromised computer. The malware can memorize keystrokes to record passwords and usernames, steal login information from browsers or emails, view system data and take other intrusive actions.
“We have reason to believe that the stack originates from Saudi Arabia and the Czech Republic,” Miron adds.
Bitdefender detects and blocks the .pub file as W97M.Downloader.EGF and the backdoor paypload as Generic.Malware.SFLl.545292C0.
To stay protected from this type of threats, Bitdefender advises companies to install a robust anti-spam filter. Users should avoid opening and downloading suspicious email attachments from unsolicited sources.
Technical analysis courtesy of Alexandru RUSU, Antimalware Researcher at Bitdefender and Adrian MIRON, Head of Antispam at Bitdefender.
August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War
August 31, 2022
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor
August 30, 2022
What is medical identity theft and how to protect against it
July 27, 2022
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside
June 28, 2022
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online
June 28, 2022