The FBI is warning that faux on-line doc converters are getting used to steal peoples’ data and, in worst-case eventualities, to deploy ransomware on victims’ units.
The warning got here final week from the FBI Denver discipline workplace, after receiving an growing variety of experiences about most of these instruments.
“The FBI Denver Area Workplace is warning that brokers are more and more seeing a rip-off involving free on-line doc converter instruments, and we need to encourage victims to report cases of this rip-off,” reads the warning.
“On this situation, criminals use free on-line doc converter instruments to load malware onto victims’ computer systems, resulting in incidents resembling ransomware.”
The FBI says that cybercriminals are creating web sites that promote free doc converts, obtain instruments, or file merging instruments.
“To conduct this scheme, cyber criminals throughout the globe are utilizing any sort of free doc converter or downloader device. This is likely to be a web site claiming to transform one sort of file to a different, resembling a .doc file to a .pdf file,” continued the FBI
“It may additionally declare to mix recordsdata, resembling becoming a member of a number of .jpg recordsdata into one .pdf file. The suspect program may declare to be an MP3 or MP4 downloading device.”
Whereas the web instruments work as marketed, the FBI says the ensuing file may comprise hidden malware that can be utilized to achieve distant entry to the contaminated gadget.
The FBI additionally says that the uploaded paperwork can be scraped for delicate data, resembling names, social safety numbers, cryptocurrency seeds, passphrases, pockets addresses, e mail addresses, passwords, and banking data.
The FBI Denver discipline workplace instructed BleepingComputer that individuals are reporting these scams to IC3.gov, with one public sector entity reporting the rip-off in metro Denver within the final three weeks.
“The scammers attempt to mimic URLs which might be legit – so altering only one letter, or ‘INC’ as an alternative of ‘CO’,” Vikki Migoya, the Public Affairs Workplace for FBI Denver, instructed BleepingComputer.
“Customers who prior to now would sort ‘free on-line file converter’ right into a search engine are susceptible, because the algorithms used for outcomes now typically embody paid outcomes, which is likely to be scams.”
Whereas the FBI instructed BleepingComputer they may not share any additional technical particulars as it will let the scammers know what’s working, risk actors have been recognized to make the most of these instruments to deploy malware.
On-line converters result in malware
Some have questioned whether or not these free doc converters can result in malware and ransomware assaults, and the reply is sure.
Final week, cybersecurity researcher Will Thomas shared some websites that claimed to be on-line doc converters, resembling docu-flex[.]com and pdfixers[.]com.
Supply: Archive.org
Whereas these websites are now not accessible, they distributed Home windows executables named Pdfixers.exe [VirusTotal] and DocuFlex.exe [VirusTotal], that are each detected as malware.
A cybersecurity researcher recognized for monitoring the Gootloader an infection additionally reported in November a couple of Google promoting marketing campaign that promoted faux file converter websites. These websites pretended to transform your recordsdata however as an alternative induced you to obtain the Gootloader malware.
“Visiting this WordPress website (shock!), I discovered a type for importing a PDF to transform it to a .DOCX file inside a .zip,” defined the researcher.
“However after passing sure checks—being from an English-speaking nation and never having visited prior to now 24 hours on the identical class C subnet—customers as an alternative obtain a .JS file contained in the .zip quite than a real .DOCX.”
This JavaScript file is Gootloader, a malware loader recognized for downloading further malware, resembling banking trojans, infostealers, malware downloaders, and post-exploitation instruments, like Cobalt Strike beacons.
Utilizing these further payloads, the risk actors breach company networks and unfold laterally to different computer systems. Assaults like these have led to full-blown ransomware assaults prior to now, resembling these by REvil and BlackSuit.
Whereas not all file converters are malware, it’s important to analysis them earlier than utilizing and test critiques earlier than downloading any packages.
If a website is comparatively unknown, it’s higher to keep away from it altogether.
When you use a web-based file converter or downloader, remember to analyze any ensuing file from the location, as if they’re an executable or JavaScript, they’re most undoubtedly malicious.
Based mostly on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and how you can defend towards them.
