The Hacker group TA505 has launched a new e-mail spam exploit to infect computers with remote access software that they can use to take over computers for financial gain.
They’re using weaponized PDF files as attachments on very simple e-mails like the sample shown here. When users click on the PDF attachment, they are presented with a warning prompt with “Open this file” as the default option. Once opened, the .SettingContent-ms file launches PowerShell to download and execute the FlawedAmmyy RAT payload to infect the local PC.
Sample of a TA505 e-mail with a weaponized PDF attachment.
|
|
What can you do to stop this exploit?
First, alert your users to be wary of PDF attachments from senders they don’t know. Show them the sample included above so they can recognize the hacker ploy if it comes into their mailbox. and consider showing them what the warning prompt triggered in these cases looks like.
Advise them on what to do if they see it.
In addition, consider adjusting Windows settings to force SettingContent-ms files to always open in NotePad instead of executing. In that way, this kind of exploit malware can be stopped from executing.
TA505 is a very active player in exploits designed to extort or steal financially valuable information via spam e-mail and their attacks can be massive. This isn’t their first attack and it won’t be their last. What makes this attack unique is that they are using PDF attachments which in the past have been considered a reasonably safe attachment to send and receive. That has now changed. Expect to see more of these ploys in the future.
