PDF Malware on the Rise, Used to Spread WikiLoader, Ursnif and DarkGate

Written by

PDF threats are on the rise with cybercriminals spreading malware, including WikiLoader, Ursnif and DarkGate, through PDFs, a new report by HP Wolf Security has found.

The company’s analysis saw a 7% rise in PDF threats in Q4 2023, compared to Q1 of the same year. It noted that previously PDF lures have been used to elicit credentials and financial details from victims through phishing. Now malware is being spread through these documents.

Of the malware the company analyzed in Q4 2023, 11% used PDFs as a delivery method, compared to just 4% in Q1.

A notable example was a WikiLoader campaign using a fake parcel delivery PDF to trick users into installing Ursnif malware, HP Wolf Security said.

Ad Tools Used to Sharpen Attacks

The DarkGate malware campaign used ad tools to track victims and evade detection, HP said.

Malicious PDF attachments, posing as OneDrive error messages, direct users to sponsored content hosted on a popular ad network.

They prompt the target to click on a link to read the document they’ve been promised. In fact, clicking the link downloads files containing malware that infects the computer with DarkGate.

HP noted that because many people used web browsers to read PDF documents, this lure has become very convincing.

Ad services are used to analyze which lures generate clicks and infect the most users which helps them refine campaigns for maximum impact.

Dr Ian Pratt, Global Head of Security for Personal Systems at HP Inc., commented: “Cybercriminals are applying the same tools a business might use to manage a marketing campaign to optimize their malware campaigns, increasing the likelihood the user will take the bait.”

“To protect against well-resourced threat actors, organizations must follow zero trust principles, isolating and containing risky activities like opening email attachments, clicking on links and browser downloads," he said.

Threat actors can use CAPTCHA tools to prevent sandboxes from scanning malware and stopping attacks by ensuring only humans click.

DarkGate, which operates as a malware-as-a-service, hands backdoor access to cybercriminals into networks, exposing victims to risks like data theft and ransomware.

Attackers Bypass Security Policies and Detection

Cybercriminals continue to diversify attack methods to bypass security policies and detection tools.

The most popular malware delivery type was archives, used in 30% of incidents analyzed by HP. The top three malicious archive formats in Q4 were RAR, ZIP and GZ.

At least 14% of email threats identified by HP Sure Click bypassed one or more email gateway scanners.

The top threat vectors in Q3 were email (75%), downloads from browsers (13%) and other means like USB drives (12%).

Other findings included a shift from Macros to Office exploits. At least 84% of attempted intrusions involving spreadsheets, and 73% involving Word documents, sought to exploit vulnerabilities in Office applications.

Data was gathered from consenting HP Wolf Security customers from October-December 2023.

What’s hot on Infosecurity Magazine?