2 min read

Microsoft Publisher files spread backdoor to steal corporate data, Bitdefender warns

Alexandra GHEORGHE

September 13, 2016

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Microsoft Publisher files spread backdoor to steal corporate data, Bitdefender warns

A targeted spam wave is infecting Windows computers with a backdoor capable of stealing sensitive corporate information from medium and small-sized businesses.

Bitdefender antispam researchers have identified a couple of thousand emails containing .pub attachments posing as orders and invoices for products. The email senders impersonate employees from small and medium-sized businesses from the UK and China, as well as other legitimate companies.

pubspam4

pubspam3Recipients are advised to open the files with Microsoft Publisher, a paid desktop publishing software application embedded in Microsoft Office 365. It”s commonly used as an editor and layout tool for creating leaflets, postcards, newsletters, e-mail newsletters or greeting cards.

.Pub is not your typical file format to host malware,” says Adrian Miron, Head of Antispam Lab at Bitdefender. “Spammers have chosen it because people don”t usually associate this type of file with the possibility of infection.”

The .pub file contains a script (VBScript) that embeds a URL acting as a remote host. From this location, the malware downloads a self-extracting cabinet file containing an AutoIt script, a tool to run the script and an AES-256 encrypted file. The cyphered file can be decrypted using a key derived from the MD5 of a text written in the AutoIt file, antimalware researchers noticed.

vbs_initial_deobfuscat

Fig. 1 Deobfuscated VBScript

autoit_decrypt_code_snippet

Fig. 2 Decoded AutoIt script with MD5 for decryption key

Once the file is decrypted and installed, attackers have backdoor access and can control resources on the compromised computer. The malware can memorize keystrokes to record passwords and usernames, steal login information from browsers or emails, view system data and take other intrusive actions.

“We have reason to believe that the stack originates from Saudi Arabia and the Czech Republic,” Miron adds.

Bitdefender detects and blocks the .pub file as W97M.Downloader.EGF and the backdoor paypload as Generic.Malware.SFLl.545292C0.

MD5: 8bcaf480f97eb43d3bed8fcc7bc129a4

To stay protected from this type of threats, Bitdefender advises companies to install a robust anti-spam filter. Users should avoid opening and downloading suspicious email attachments from unsolicited sources.

Technical analysis courtesy of Alexandru RUSU, Antimalware Researcher at Bitdefender and Adrian MIRON, Head of Antispam at Bitdefender.

tags


Author



Right now

Top posts

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

August 30, 2022

2 min read
What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read
Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

July 07, 2022

5 min read
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Crypto Exchange Finds Location Data on Hacker, Recovers Some Stolen Funds Crypto Exchange Finds Location Data on Hacker, Recovers Some Stolen Funds
Silviu STAHIE

October 04, 2022

2 min read
German Police Arrest Three People Accused of Running Massive Phishing Campaign German Police Arrest Three People Accused of Running Massive Phishing Campaign
Silviu STAHIE

October 03, 2022

1 min read
Prison for ex-eBay staff who aggressively cyberstalked company's critics with Craigslist sex party ads and funeral wreaths Prison for ex-eBay staff who aggressively cyberstalked company's critics with Craigslist sex party ads and funeral wreaths
Graham CLULEY

September 30, 2022

2 min read