Delaware, USA – February 28, 2019 – Adversaries exploit a Google Chrome vulnerability to collect system data for subsequent attacks. The developers promise to release an update to close the zero-day vulnerability in the built-in PDF viewer only at the end of April. EdgeSpot researchers found malicious documents that when opened in the browser send the HTTP POST packet containing the IP address of the target, system and browser information, and the path to the malicious document. Further research revealed that the first discovered campaign to distribute such PDF files occurred in November 2017, another campaign took place in September 2018. After researchers reported to Google Chrome developers about their discovery, they continued to record the appearance of new malicious documents using this zero-day vulnerability. Most antivirus solutions do not detect files as malicious, and opening these files in other PDF viewers do not cause any suspicious activity.
Prior to the update release, it is recommended to avoid viewing PDF files in Chrome. It is also worth noting that in the past year Adobe patched several critical vulnerabilities in Acrobat Reader, including those actively exploited in the wild. Threat actors often leverage PDFs or files pretended to be PDF docs for malware delivery. To detect compromise attempts, you can use the free Windows Security Monitor rule pack available at Threat Detection Marketplace: https://my.socprime.com/en/integrations/windows-security-monitor-arcsight