www.theregister.com
Open in
urlscan Pro
104.18.5.22
Public Scan
URL:
https://www.theregister.com/2024/02/15/malware_pdf_wolf_security/
Submission: On February 16 via api from TR — Scanned from DE
Submission: On February 16 via api from TR — Scanned from DE
Form analysis 2 forms found in the DOM
POST /CBW/custom
<form id="RegCTBWFAC" action="/CBW/custom" class="show_regcf_custom" method="POST">
<h5>Manage Cookie Preferences</h5>
<ul>
<li>
<label>
<input type="checkbox" disabled="disabled" checked="checked" name="necessary" value="necessary">
<strong>Necessary</strong>. <strong>Always active</strong>
</label>
<label for="accordion_necessary" class="accordion_toggler">Read more<img width="7" height="10" alt="" src="/design_picker/d2e337b97204af4aa34dda04c4e5d56d954b216f/graphics/icon/arrow_down_grey.svg" class="accordion_arrow"></label>
<div class="accordion">
<input type="checkbox" id="accordion_necessary">
<p class="accordion_info"> These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect. </p>
</div>
</li>
<li>
<label>
<input type="checkbox" name="tailored_ads" value="tailored_ads">
<strong>Tailored Advertising</strong>. </label>
<label for="accordion_advertising_tailored_ads" class="accordion_toggler">Read more<img width="7" height="10" alt="" src="/design_picker/d2e337b97204af4aa34dda04c4e5d56d954b216f/graphics/icon/arrow_down_grey.svg"
class="accordion_arrow"></label>
<div class="accordion">
<input type="checkbox" id="accordion_advertising_tailored_ads">
<p class="accordion_info"> These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers,
and in some cases selecting advertisements that are based on your interests. </p>
</div>
</li>
<li>
<label>
<input type="checkbox" name="analytics" value="analytics">
<strong>Analytics</strong>. </label>
<label for="accordion_analytics" class="accordion_toggler">Read more<img width="7" height="10" alt="" src="/design_picker/d2e337b97204af4aa34dda04c4e5d56d954b216f/graphics/icon/arrow_down_grey.svg" class="accordion_arrow"></label>
<div class="accordion">
<input type="checkbox" id="accordion_analytics">
<p class="accordion_info"> These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our
sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance. </p>
</div>
</li>
</ul> See also our <a href="https://www.theregister.com/Profile/cookies/">Cookie policy</a> and <a href="https://www.theregister.com/Profile/privacy/">Privacy policy</a>. <input type="submit" value="Accept Selected" class="reg_btn_primary"
name="accept" id="RegCTBWFBAC">
</form>POST /CBW/all
<form id="RegCTBWFAA" action="/CBW/all" method="POST" class="hide_regcf_custom">
<input type="submit" value="Accept All Cookies" name="accept" class="reg_btn_primary" id="RegCTBWFBAA">
</form>Text Content
Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”. REVIEW AND MANAGE YOUR CONSENT Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer. MANAGE COOKIE PREFERENCES * Necessary. Always active Read more These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect. * Tailored Advertising. Read more These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests. * Analytics. Read more These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance. See also our Cookie policy and Privacy policy. Customize Settings Sign in / up TOPICS Security SECURITY All SecurityCyber-crimePatchesResearchCSO (X) Off-Prem OFF-PREM All Off-PremEdge + IoTChannelPaaS + IaaSSaaS (X) On-Prem ON-PREM All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector (X) Software SOFTWARE All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization (X) Offbeat OFFBEAT All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us (X) Special Features SPECIAL FEATURES All Special Features Cloud Infrastructure Week Cybersecurity Month Blackhat and DEF CON Sysadmin Month The Reg in Space Emerging Clean Energy Tech Week Spotlight on RSA Energy Efficient Datacenters VENDOR VOICE Vendor Voice VENDOR VOICE All Vendor Voice Amazon Web Services (AWS) Business Transformation Google Cloud Infrastructure Hewlett Packard Enterprise: AI & ML solutions Hewlett Packard Enterprise: Edge-to-Cloud Platform Intel vPro VMware (X) Resources RESOURCES Whitepapers Webinars & Events Newsletters RESEARCH 3 MISCREANTS TURN TO AD TECH TO MEASURE MALWARE METRICS 3 NOW THAT'S WHAT YOU CALL DUAL-USE TECH Thomas Claburn Thu 15 Feb 2024 // 08:27 UTC Cyber baddies have turned to ad networks to measure malware deployment and to avoid detection, according to HP Wolf Security. The security group's Q4 2024 Threat Insights Report finds criminals have adopted ad tech tools to make their social engineering attacks more effective. "Cyber criminals are applying the same tools a business might use to manage a marketing campaign to optimize their malware campaigns, increasing the likelihood the user will take the bait," explained Ian Pratt, global head of security for personal systems at HP, in a statement. The DarkGate PDF malware campaign, for example, relies on ad tools. Dating back to 2018, DarkGate provides backdoor access to victim's computers for the purpose of data theft and ransomware. The campaign involves sending email messages to victims with malicious PDF attachments. Those duped into opening one see a social engineering message – often in the form of a Microsoft OneDrive error message that prompts the victim to click a link to download the document. * Prudential Financial finds cybercrims lurking inside its IT systems * Bumblebee malware wakes from hibernation, forgets what year it is, attacks with macros * Crooks hook hundreds of exec accounts after phishing in Azure C-suite pond * Korean eggheads crack Rhysida ransomware and release free decryptor tool The report explains that this often works because the attackers know that office workers rely on cloud-based applications with user interfaces that often change. This makes it more difficult to spot fake interface elements or bogus error messages. Clicking on the fake OneDrive error message does not immediately download the malware payload. Rather, it routes the victim's click – containing identifiers and the domain hosting the file – through an advertising network and then it fetches the malicious URL, which is not evident in the PDF. "Using an ad network as a proxy helps the attacker to evade detection and collect analytics on who clicks their links," the report explains. "Since the advertising network uses CAPTCHAs to verify real users to prevent click fraud, it's unlikely automated malware analysis systems would be able to scan the malware payload, leading to the risk of falsely classifying the file as safe." According to HP Wolf Security, 11 percent of malware analyzed in Q4 2023 relied on PDFs for delivery – up from 4 percent in Q1 and Q2 that same year. As an example, the security biz points to the WikiLoader campaign, which used a fake parcel delivery PDF to spread malware known as Ursnif. The security biz also notes that it's seeing more Office exploits and fewer macro-enabled attacks. During Q4, about 84 percent of attempted intrusions incorporated spreadsheets, while 73 percent involved Word documents Finally, the report notes that attackers continue to host malware on cloud services as a way to benefit from the trust users may place in these platforms. The analysts point to the Remcos remote access trojan, which relies on a user downloaded JavaScript file hosted on chat service Discord. The malicious file then connects to file sharing service TextBin to fetch a Base64 encoded executable hosted there. While the attacks may be more sophisticated, Pratt's advice for countering them remains the same: "To protect against well-resourced threat actors, organizations must follow zero trust principles, isolating and containing risky activities like opening email attachments, clicking on links, and browser downloads." ® Get our Tech Resources Share MORE ABOUT * HP Inc * Microsoft Office * Security More like these × MORE ABOUT * HP Inc * Microsoft Office * Security * Software NARROWER TOPICS * 2FA * AdBlock Plus * Advanced persistent threat * App * Application Delivery Controller * Audacity * Authentication * BEC * Black Hat * BSides * Bug Bounty * Common Vulnerability Scoring System * Confluence * Cybercrime * Cybersecurity * Cybersecurity and Infrastructure Security Agency * Cybersecurity Information Sharing Act * Database * Data Breach * Data Protection * Data Theft * DDoS * DEF CON * Digital certificate * Encryption * Excel * Exploit * Firewall * FOSDEM * FOSS * Grab * Graphics Interchange Format * Hacker * Hacking * Hacktivism * HP Instant Ink * IDE * Identity Theft * Incident response * Infosec * Jenkins * Kenna Security * Legacy Technology * LibreOffice * Map * Microsoft 365 * Microsoft Teams * Mobile Device Management * NCSAM * NCSC * OpenOffice * Palo Alto Networks * Password * Phishing * Programming Language * QR code * Quantum key distribution * Ransomware * Remote Access Trojan * Retro computing * REvil * RSA Conference * Search Engine * Software bug * Software License * Spamming * Spyware * Surveillance * text editor * TLS * Trojan * Trusted Platform Module * User interface * Visual Studio * Visual Studio Code * Vulnerability * Wannacry * WebAssembly * Web Browser * Wordpress * Zero trust BROADER TOPICS * Microsoft MORE ABOUT Share 3 COMMENTS MORE ABOUT * HP Inc * Microsoft Office * Security More like these × MORE ABOUT * HP Inc * Microsoft Office * Security * Software NARROWER TOPICS * 2FA * AdBlock Plus * Advanced persistent threat * App * Application Delivery Controller * Audacity * Authentication * BEC * Black Hat * BSides * Bug Bounty * Common Vulnerability Scoring System * Confluence * Cybercrime * Cybersecurity * Cybersecurity and Infrastructure Security Agency * Cybersecurity Information Sharing Act * Database * Data Breach * Data Protection * Data Theft * DDoS * DEF CON * Digital certificate * Encryption * Excel * Exploit * Firewall * FOSDEM * FOSS * Grab * Graphics Interchange Format * Hacker * Hacking * Hacktivism * HP Instant Ink * IDE * Identity Theft * Incident response * Infosec * Jenkins * Kenna Security * Legacy Technology * LibreOffice * Map * Microsoft 365 * Microsoft Teams * Mobile Device Management * NCSAM * NCSC * OpenOffice * Palo Alto Networks * Password * Phishing * Programming Language * QR code * Quantum key distribution * Ransomware * Remote Access Trojan * Retro computing * REvil * RSA Conference * Search Engine * Software bug * Software License * Spamming * Spyware * Surveillance * text editor * TLS * Trojan * Trusted Platform Module * User interface * Visual Studio * Visual Studio Code * Vulnerability * Wannacry * WebAssembly * Web Browser * Wordpress * Zero trust BROADER TOPICS * Microsoft TIP US OFF Send us news -------------------------------------------------------------------------------- OTHER STORIES YOU MIGHT LIKE JUST ONE BAD PACKET CAN BRING DOWN A VULNERABLE DNS SERVER THANKS TO DNSSEC 'You don't have to do more than that to disconnect an entire network' El Reg told as patches emerge Patches2 days | 13 BLACKBAUD SETTLES WITH FTC AFTER THAT IT BREACH EXPOSED MILLIONS OF PEOPLE'S INFO Cloud software slinger admits no guilt, promises better basic security hygiene Cyber-crime13 days | 6 RUST CAN HELP MAKE SOFTWARE SECURE – BUT IT'S NO CURE-ALL Security is a process, not a product. Nor a language Security8 days | 36 TURBO-CHARGING THE WLAN WITH WI-FI 7 New Huawei AP designed to boost speed, access and efficiency in campus wireless networks Sponsored Feature META SAYS RISK OF ACCOUNT THEFT AFTER PHONE NUMBER RECYCLING ISN'T ITS PROBLEM TO SOLVE Leaves it to carriers, promoting a complaint to Irish data cops from Big Tech's bête noire Personal Tech3 days | 107 GOOGLE THROWS $1M AT RUST FOUNDATION TO BUILD C++ BRIDGES Chocolate Factory matches Microsoft money for memory safety Devops10 days | 14 MOZILLA ADDS PAID-FOR DATA-DELETION TIER TO MONITOR, ITS PRIVACY-BREACH RADAR Firefox maker promises to lean on personal info brokers to scrub records Personal Tech9 days | 14 AI MODELS JUST LOVE ESCALATING CONFLICT TO ALL-OUT NUCLEAR WAR 'We have it! Let’s use it' proclaims the most warlike GPT-4-Base AI + ML10 days | 73 CLOUDFLARE SHEDS MORE LIGHT ON THANKSGIVING SECURITY BREACH IN WHICH TOKENS, SOURCE CODE ACCESSED BY SUSPECTED SPIES Atlassian systen compromised via October Okta intrusion CSO14 days | 14 JETBRAINS' UNREMOVABLE AI ASSISTANT MEETS IRRESISTIBLE OUTCRY Some devs just don't want anything to do with neural-network code serfs Software14 days | 83 CRIMS FOUND AND EXPLOITED THESE TWO MICROSOFT BUGS BEFORE REDMOND FIXED 'EM Patch Tuesday SAP, Adobe, Intel, AMD also issue fixes as well as Google for Android Patches2 days | 5 ANZ BANK TEST DRIVES GITHUB COPILOT – AND FINDS AI DOES GIVE A HELPING HAND Expert Python programmers saw the most benefit AI + ML5 days | 40 The Register Biting the hand that feeds IT ABOUT US * Contact us * Advertise with us * Who we are OUR WEBSITES * The Next Platform * DevClass * Blocks and Files YOUR PRIVACY * Cookies Policy * Your Consent Options * Privacy Policy * T's & C's Copyright. All rights reserved © 1998–2024