Beware! Disguised Adobe Reader Installer That Installs Infostealer Malware

An infostealer disguised as the Adobe Reader installation has been observed. The file is disseminated in PDF format and prompts users to download and run it.

The fake PDF file, according to AhnLab Security Intelligence Center (ASEC), is written in Portuguese and instructs users to download and install Adobe Reader. 

It urges users to download and install malware by informing them that Adobe Reader is needed to open the file.

The Flow Of The Attack

Researchers say the message prompts users to install and download Adobe Reader.

When users click the gray area as seen below, malware is downloaded, and they are redirected to the following message, hxxps://raw.githubusercontent[.]com/fefifojs/reader/main/Reader_Install_Setup.exe

Fake PDF File

“The downloaded file takes the form of the Adobe Reader icon, and its name is set as Reader_Install_Setup.exe.

By taking the disguise of the Adobe Reader installer, it prompts the user to run it”, ASEC researchers shared with Cyber Security News.

Reader_Install_Setup.exe

The downloaded file’s execution procedure has three stages: file creation, DLL Hijacking & UAC Bypass, and Information Leak.

Attack Phases

Following the file creation phase, Reader_Install_Setup.exe uses the following command to launch msdt.exe, a Windows system file, and produces two malicious files.

“C:\Windows\SysWOW64\msdt.exe” -path “C:\WINDOWS\diagnotics\index\BluetoothDiagnostic.xml” -skip yes

Running sdiagnhost.exe as administrator is the function of the msdt.exe process that is now running.

Therefore, when the sdiagnhost.exe process loads BluetoothDiagnosticUtil.dll, the malicious DLL file is loaded.

Following the above process, the threat actor can bypass user account control (UAC) by using DLL hijacking.

During the information leak phase, it generates files, including chrome.exe, and conceals them in the generated path.

Chrome.exe collects system and browser information and sends it to the C2 server.

The created chrome.exe is a malicious file associated with the actual Google Chrome browser, and it impersonates the actual browser executable file by using the same icon.

Consequently, users who acquire files from unauthorized sources should exercise extreme caution when dealing with files that ask them to run malware.

With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and their…

2 hours ago

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS environments…

14 hours ago

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling them…

19 hours ago

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases from…

19 hours ago

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting abuse…

19 hours ago

Metasploit Framework Released with New Features

The Metasploit Framework, a widely used open-source penetration testing tool maintained by Rapid7, has introduced…

22 hours ago