Delaware, USA – September 24, 2018 — Experts from Comodo discovered a new type of attack, which they called Evil Clone. To conduct this attack, adversaries created a “twin” of PDFescape software and added a malicious payload to the installer of the extended font package. In order not to cause user’s suspicion, undefined attackers created not only the PDFescape installer but also a complete copy of the legitimate server infrastructure on their resource and copied all the installation packages, including the modified font package. The installation file differs from its evil clone by the URL from which it gets selected installation packages. While installing the extended font pack, xbox-service.exe is installed in the system, and it starts working as a service and runs malicious DLL using rundll32. Also, the malware tries to modify Windows HOSTS file to prevent auto-updating of PDFescape and several anti-virus solutions. The DLL file executes a browser script to load the CoinHive cryptocurrency miner.
Leveraging the Evil Clone attack, cybercriminals already infected more than 12 thousand PDFescape users. This new technique of cloning will allow attackers to infect their victims with much more dangerous malware. To detect assets compromised during this campaign and any connections to the CoinHive platform, you can use Web Mining Detector, free rule pack for ArcSight and QRadar: https://my.socprime.com/en/integrations/soc-prime-web-mining-detector-arcsight