PDF Malware on the Rise, Used to Spread WikiLoader, Ursnif and DarkGate

A recent trend of cybercriminals leveraging PDFs to distribute malware has been showcased in HP Wolf’s security report, showcasing a notable 7% increase in PDF based threats during Q4 2023 compared to Q1. This surge in malicious activity includes the dissemination of notorious malware strains like WikiLoader, Ursnif, and DarkGate.

Specifically, the report highlights a sophisticated campaign where cybercriminals utilized a fake parcel delivery PDF as a guise to trick unsuspecting users into installing Ursnif malware. Moreover, the DarkGate malware campaign employs ad tools to meticulously track victims and evade detection, further complicating cybersecurity efforts. To exacerbate matters, cybercriminals are employing CAPTCHA tools to circumvent sandbox scanning and ensure that only human interactions trigger their malicious payloads, thereby enhancing the effectiveness of their attacks.

Analyst Comments:
Furthermore, the report underscores the diversification of attack methods, with archives emerging as the most prevalent delivery method for malware with RAR, ZIP, and GZ formats being particularly favored. Additionally, there has been a notable shift in tactics from Macros to Office exploits, with a significant percentage of attempted intrusions targeting vulnerabilities in Office applications.

Overall, the data gathered from HP Wolf Security customers paints a vivid picture of the evolving threat landscape necessitating a proactive approach from organizations to bolster their cybersecurity defenses and mitigate the risks posed by these sophisticated and relentless cyber adversaries.

Suggested Corrections:

To protect against well-resourced threat actors, organizations must follow zero trust principles, isolating and containing risky activities like opening email attachments, clicking on links and browser downloads