Beware of Byakugan, this malware that hides in a PDF file

A phishing campaign distributes Byakugan, malware that steals sensitive information and allows remote access to infected Windows devices.

Adobe has taken over the PDF management market for 30 years now. The company has been able to perfect this tool it created over the years, particularly with its Acrobat reader. With his little phrase “ This document requires Adobe Acrobat Reader to be viewed, click here to download » present on most websites offering document reading in this format, the San José firm has literally conquered the Internet.

But every glory has its price, and this is what researchers from Fortinet and ASEC proved by discovering between January and April 2024 that a malware, called “Byakugan”, was hidden in a fake PDF file inciting victims to who received it to click on a corrupted link to read it. Simple, basic, but devastating.

A blurry PDF file in Portuguese as bait

Byakugan was first discovered in January 2024 by FortiGuard Labs. Researchers found a PDF file in Portuguese that distributed the malware. This contained a blurry table and instructions inviting victims to click on a malicious link to view the content. Once the link is clicked, the downloader drops a file called require.exe, which is its copy. Next, a clean installer is downloaded to the temporary folder, followed by a DLL, which is executed through DLL hijacking to run require.exe to download the main module.

The downloader, named “require.exe” and located in the temporary folder, executes the copy, not Reader_Install_Setup.exe, and exhibits different behavior in the two files. The main Byakugan module is downloaded from thinkforce.com, a C2 server that can also serve as an attacker’s control panel, with a login page on port 8080.

Byakugan is node.js-based malware, which uses OBS Studio to monitor the target’s desktop and perform various functions. It has several libraries including screen monitor, miner, keylogger, file manipulation and browser information stealer.

Additionally, Byakugan can choose between mining with CPU or GPU to avoid system overhead and downloads from popular miners like Xmrig, t-rex and NBMiner. It also stores data in kl folder and can steal information about “ cookies, credit cards, downloads and auto-populated profiles “, wrote the researchers.

Adobe already targeted by hackers to spread their malware

But this is not the first time that Adobe has been the target of hackers. The AhnLab Security intelligence Center (ASEC) also discovered an infostealer disguised as an Adobe Reader installer in a fake PDF file in Portuguese. This prompted users to download Adobe Reader, which led to the execution of a malicious Reader_Install_Setup.exe file.

It also creates two malicious files and runs a Windows system file, msdt.exe as administrator, loading the malicious BluetoothDiagnosticUtil.dll and loading the malicious DLL file. The malicious actor can bypass User Account Control (UAC) through DLL hijacking.

Clubic, like the cybersecurity researchers behind the discovery of Byakugan, recommends that you be extremely vigilant regarding attachments that you receive that invite you to download software or an app. A useful red flag that should alert you: if you already have this tool, then it is probably a phishing attempt. And for everything else, Clubic provides you with advice to protect you from malware and other ransomware.

Sources: HackRead, Fortinet, DRIED UP