Infosec Watchtower Logo

Deceptive Adobe Acrobat Installers Unleash the Multifaceted Byakugan Malware

Charles M. Walls | April 5, 2024 | Views: 498

An image that visually represents the theme of cyber security threats and malware attacks through deceptive software installers.

Scammers are now targeting Adobe Acrobat Reader users with fraudulent installers to spread a new and versatile malware known as Byakugan. The scam begins with a PDF file in Portuguese, which displays a blurry image. Victims are tricked into clicking a link to supposedly download the Reader application to clear up the image, but this leads to malware infection instead.

Research from Fortinet FortiGuard Labs highlights that this deceitful link downloads an installer named "Reader_Install_Setup.exe," kicking off the malware's entry into the system. This strategy was first unveiled by AhnLab Security Intelligence Center (ASEC) recently, shedding light on the sophisticated techniques employed, such as DLL hijacking and bypassing Windows User Access Control (UAC), to inject a harmful dynamic-link library (DLL) named "BluetoothDiagnosticUtil.dll." Interestingly, the attack sequence also includes a genuine PDF reader installer, potentially to disguise the malicious activity.

The malware, once activated, is designed to stealthily collect system information and send it to a command-and-control (C2) server. It also downloads a crucial module named "chrome.exe" from another server, doubling as a C2 hub for command and file reception.

Security expert Pei Han Liao notes, "Byakugan is a sophisticated piece of malware, developed with Node.js and encapsulated within its executable through pkg technology. It's not just the main script that's dangerous; it brings along numerous libraries that facilitate a range of malicious activities." These activities range from ensuring the malware persists on the infected system, monitoring the desktop with OBS Studio, capturing screenshots, to more nefarious actions like keystroke logging, file enumeration and upload, and even pilfering data from web browsers.

Fortinet observes a rising trend in malware developers mixing legitimate and malicious software elements to confuse analysis and evade detection, with Byakugan exemplifying this technique perfectly. This tactic complicates the detection process by increasing the "noise" during analysis.

This revelation is part of a larger wave of sophisticated cyber threats, including a new campaign spreading the Rhadamanthys information stealer disguised as a groupware installer. ASEC uncovered that the perpetrators behind this campaign created a counterfeit website that mimics the authentic one, drawing victims in through search engine ads. Furthermore, there's been a report of a tampered version of Notepad++ being used to distribute the WikiLoader malware, known alternatively as WailingCrab, highlighting the continuous evolution and sophistication of cyber-attacks.

Source of Inspiration