Hackers use polyglots to try to get their targets to install malware on their devices, experts warn.
Research by Japan’s Computer Emergency Response Team (JPCERT) has revealed that hackers are distributing a file that could be a .PDF file or a .DOCX file.
Polyglots are file types that have two different formats and therefore have two different extensions.
Run macros
The file in question, a .PDF document, hosts a Word document with a VBS macro. If the victim opens the file with Microsoft Word, the file downloads and installs MSI malware. The silver lining here is that macros are still disabled by default in Microsoft Office programs. That means that even if the victim downloads and executes the malicious file, he or she still has to manually disable these protections and unblock the file so that the macro can download the malware and infect the endpoint.
The Japanese researchers did not say who was behind the campaign, or what malware was being distributed. They did say that the attack was first discovered in July this year and that it successfully evaded antivirus detection in at least one case. This is probably because most scanning engines see the file as a .PDF file, despite it opening as a regular Word document, the researchers speculate.
The misuse of multilingual files to evade antivirus programs is nothing new and has been well documented before. Bleeping Computer recalls, but adds that the researchers consider this particular technique “new”.
Last year, Microsoft finally decided to block macros that run by default in Office files, due to the overwhelming abuse of the feature by various threat actors. Instead, only files not downloaded from the Internet can have macros enabled without going through multiple activation steps.
Through: Bleeping Computer