FBI warnings are true—fake file converters do push malware
The FBI is warning that fake online document converters are being used to steal peoples’ information and, in worst-case scenarios, to deploy ransomware on victims’ devices.
The warning came last week from the FBI Denver field office, after receiving an increasing number of reports about these types of tools.
“The FBI Denver Field Office is warning that agents are increasingly seeing a scam involving free online document converter tools, and we want to encourage victims to report instances of this scam,” reads the warning.
“In this scenario, criminals use free online document converter tools to load malware onto victims’ computers, leading to incidents such as ransomware.”
The FBI says that cybercriminals are creating websites that promote free document converts, download tools, or file merging tools.
“To conduct this scheme, cyber criminals across the globe are using any type of free document converter or downloader tool. This might be a website claiming to convert one type of file to another, such as a .doc file to a .pdf file,” continued the FBI
“It might also claim to combine files, such as joining multiple .jpg files into one .pdf file. The suspect program might claim to be an MP3 or MP4 downloading tool.”
While the online tools work as advertised, the FBI says the resulting file may also contain hidden malware that can be used to gain remote access to the infected device.
The FBI also says that the uploaded documents can also be scraped for sensitive information, such as names, social security numbers, cryptocurrency seeds, passphrases, wallet addresses, email addresses, passwords, and banking information.
The FBI Denver field office told BleepingComputer that people are reporting these scams to IC3.gov, with one public sector entity reporting the scam in metro Denver in the last three weeks.
“The scammers try to mimic URLs that are legit – so changing just one letter, or ‘INC’ instead of ‘CO’,” Vikki Migoya, the Public Affairs Office for FBI Denver, told BleepingComputer.
“Users who in the past would type ‘free online file converter’ into a search engine are vulnerable, as the algorithms used for results now often include paid results, which might be scams.”
While the FBI told BleepingComputer they could not share any further technical details as it would let the scammers know what is working, threat actors have been known to utilize these tools to deploy malware.
Online converters lead to malware
Some have questioned whether these free document converters can lead to malware and ransomware attacks, and the answer is yes.
Last week, cybersecurity researcher Will Thomas shared some sites that claimed to be online document converters, such as docu-flex[.]com and pdfixers[.]com.
Source: Archive.org
While these sites are no longer available, they distributed Windows executables named Pdfixers.exe [VirusTotal] and DocuFlex.exe [VirusTotal], which are both detected as malware.
A cybersecurity researcher known for tracking the Gootloader infection also reported in November about a Google advertising campaign that promoted fake file converter sites. These sites pretended to convert your files but instead caused you to download the Gootloader malware.
“Visiting this WordPress site (surprise!), I found a form for uploading a PDF to convert it to a .DOCX file inside a .zip,” explained the researcher.
“But after passing certain checks—being from an English-speaking country and not having visited in the past 24 hours on the same class C subnet—users instead receive a .JS file inside the .zip rather than a genuine .DOCX.”
This JavaScript file is Gootloader, a malware loader known for downloading additional malware, such as banking trojans, infostealers, malware downloaders, and post-exploitation tools, like Cobalt Strike beacons.
Using these additional payloads, the threat actors breach corporate networks and spread laterally to other computers. Attacks like these have led to full-blown ransomware attacks in the past, such as those by REvil and BlackSuit.
While not all file converters are malware, it’s essential to research them before using and check reviews before downloading any programs.
If a site is relatively unknown, it is better to avoid it altogether.
If you use an online file converter or downloader, be sure to analyze any resulting file from the site, as if they are an executable or JavaScript, they are most definitely malicious.
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
Source link
