Cybersecurity experts are issuing a warning about a new wave of attacks targeting Portuguese-speaking countries. These attacks involve the use of fake Adobe Reader installers to distribute a multifunctional malicious software known as BYAKUGAN.
The initial stage of the attack involves a PDF file that displays a blurred image and prompts the victim to download a third-party application to view its contents.
According to researchers from Fortinet, clicking on the link in the fake notice leads to the download of an installer that kickstarts the infection process. Information about this campaign was first published by the ASEC cyber intelligence center last month.
The attack technique employs methods such as DLL Hijacking and bypassing Windows User Account Control (UAC) to download a malicious DLL file, which then activates the main malicious code. The legitimate installer of the PDF reader Wondershare PDFelement is also involved in this process.
The BYAKUGAN malware is capable of gathering system metadata and sending it to a control server, as well as loading the main module “Chrome.exe,” which acts as a control server for receiving files and commands.
BYAKUGAN is built on node.js and includes various libraries for functions such as system persistence, desktop monitoring using OBS Studio, Cryptocurrency Miners, Logging Killers, Inventory and Loading Files, and data theft from web browsers.
Researchers examining the malicious connections launch the BYAKUGAN web control panel, which presents an authorization screen. The open tab features a ninja icon with white eyes in the corner, a clear reference to the Naruto anime, much like the name of the malware.
The use of entirely legitimate components in ransomware like BYAKUGAN is a growing trend noted by Fortinet, complicating the process of threat detection and analysis.
Similar threats have been observed recently, such as phishing attacks targeting the US oil and gas corporate sector with fake installers containing a fake accident notification. In these attacks, the PDF file tricks users by imitating an Adobe Reader notification, leading them to install the Rhadamanthys malware, which collects data from infected systems.