Ddos 
Source: Zimperium
A new report from Fernando Ortega, a malware researcher at Zimperium, exposes an advanced phishing campaign targeting mobile users through malicious PDF files. The report sheds light on a large-scale operation that leverages social engineering and obfuscation techniques to steal sensitive user data.
Zimperium’s zLabs team identified over 20 malicious PDF files and 630 phishing pages, all impersonating the United States Postal Service (USPS). The campaign begins with SMS messages sent to users, urging them to resolve fake delivery issues. These messages include PDF attachments that contain hidden, clickable elements redirecting users to phishing websites.
Ortega explains, “PDFs have become a common vector for phishing attacks, malware, and exploits due to their ability to embed malicious links, scripts, or payloads.” The attackers exploit the false sense of security associated with PDFs, tricking users into interacting with what appears to be legitimate content.
- Hidden URLs and Obfuscation Techniques:
Unlike standard PDF links that use the /URI tag, these malicious PDFs embed links in unconventional ways, making detection difficult. According to the report, “The PDFs used in this campaign embed clickable links without utilizing the standard /URI tag, making it more challenging to extract URLs during analysis,” and allowing them to bypass endpoint security solutions. - Advanced Social Engineering:
Once opened, the PDFs prompt users to click buttons such as “Click Update,” which lead to phishing pages mimicking USPS. These pages request personal information like names, addresses, and credit card details. - Data Exfiltration and Encryption:
The collected data is encrypted using the Rabbit stream cipher and sent to a Command-and-Control (C&C) server. Zimperium’s analysis uncovered the use of magicCat-response and magicCat-request keys for encryption, demonstrating a high level of sophistication. - Multilingual Phishing Kit:
The campaign includes multilingual support, allowing attackers to target users across more than 50 countries. The localized phishing pages demonstrate a significant investment in scalability and evasion.
The report highlights the growing security risks PDFs pose in enterprise environments, especially on mobile devices. Ortega notes, “Without robust mobile threat defense mechanisms, particularly on-device scanning, enterprises face the risk of data breaches, credential theft, and compromised workflows via seemingly harmless PDF files.” The portability and accessibility of PDFs make them ideal for exploitation, particularly in environments where users have limited visibility into file contents before opening them.
Donate