A widespread spam campaign from the well-known financial criminal group TA505 is spreading the FlawedAmmyy RAT using a brand-new vector: Weaponized PDFs containing malicious SettingContent-ms files.
The SettingContent-ms file format was introduced in Windows 10; it allows a user to create “shortcuts” to various Windows 10 setting pages.
“All this file does is open the Control Panel for the user [control.exe],” explained SpecterOps researchers in a recent posting on the format. “The interesting aspect of this file is the <DeepLink> element in the schema. This element takes any binary with parameters and executes it. What happens if we simply substitute ‘control.exe’ to something [malicious]?”
The answer to that question is that the substituted script, when opened, executes any command automatically, including cmd.exe and PowerShell, with no prompt to the user – making the format a perfect conduit for malware.
This approach code also flies under the radar, and the maliciously crafted files simply bypass certain Windows 10 defenses such as Attack Surface Reduction (ASR) and detection of OLE-embedded dangerous file formats.
Of course, getting victims to open a funky file format attached to an email could be a challenge, so bad actors have started embedding these into more innocent-looking attachments. Accordingly, researchers at SpecterOps in June saw campaigns abusing the SettingContent-ms file format within Microsoft Word documents. Earlier this week however, Proofpoint researchers observed the approach evolving, and being used with PDF documents – a previously unknown technique.