Threat Awareness – Snake Keylogger Propagates Through Malicious PDFs

Security researchers have discovered a new phishing campaign that leverages malicious PDFs and a five-year-old remote code execution (RCE) vulnerability to deliver Snake Keylogger malware to victim devices. Snake Keylogger steals credentials, victim keystrokes, screenshots of victim’s screen, and clipboard data. In this particular campaign, victims’ receive an email named “Remittance Invoice,” with a weaponized PDF attached. When the PDF is opened, Adobe Reader prompts them with a Word document, deceivingly named “has been verified” to trick users into opening it. The Word document, which contains exploit code for an old vulnerability, ultimately installs the Snake Keylogger. The exploit leverages a Microsoft Office memory corruption vulnerability (CVE-2017-11882) that has been included in CISA’s Known Exploited Vulnerabilities since the initial publishing of the catalog on 11/3/2021. To reduce the risk posed from the exploitation of old vulnerabilities, members are encouraged to regularly review CISA’s Known Exploited Vulnerabilities Catalog and address impacted products accordingly in a timely fashion. Read more at ThreatPost.