A deceptive campaign has emerged, utilizing fake installers for Adobe Acrobat Reader to disseminate a sophisticated malware named Byakugan. The attack initiates with a Portuguese PDF file prompting victims to download Adobe Reader to view obscured content, leading to the installation of malicious files. Leveraging DLL hijacking and Windows UAC bypass techniques, the malware deploys a dynamic-link library and executes its final payload, demonstrating an intricate infection chain.
Fortinet FortiGuard Labs and AhnLab Security Intelligence Center (ASEC) have disclosed details of this campaign, shedding light on its multifaceted approach. Byakugan, packed into its executable by pkg, demonstrates a node.js-based architecture and employs various libraries for diverse functionalities. These functionalities range from persistence establishment and desktop monitoring to cryptocurrency mining and data exfiltration, complicating detection efforts.
Furthermore, the campaign underscores a broader trend in malware tactics, blending both clean and malicious components to obfuscate analysis and detection. This approach, noted by Fortinet, heightens the complexity of accurate threat identification. The disclosure coincides with ASEC’s revelation of another campaign distributing the Rhadamanthys information stealer, highlighting the ongoing evolution and diversification of cyber threats.
In addition, recent discoveries indicate the manipulation of legitimate software such as Notepad++ to propagate malware like WikiLoader, demonstrating the adaptability and resourcefulness of threat actors in their pursuit of compromising systems and harvesting sensitive data.
