Malware is often packaged with software solutions, where the user is given the software they are looking for, but the installer also silently delivers malware to their device. Since the desired product is installed, the user will be unaware that their device has been infected. Malware is often hidden in installers for pirated software or the associated keygen for obtaining the product key. All a threat actor has to do is convince a user to download and execute the installer.
One such campaign involves the use of online document converters, which are used to convert one file type to another. For example, these tools can be used to convert .docx files to .pdf files, create .pdf files from multiple .jpeg images, or convert one audio or video format to another. The Federal Bureau of Investigation (FBI) has been receiving an increasing number of complaints about malware infections from free document converters and download tools. The tool is delivered, but malware is also installed that provides the threat actor with remote access to the infected device, allowing them to steal sensitive data, encrypt files with ransomware, or use the infected device for other nefarious purposes. There are other risks associated with this scam. Cybercriminals in control of these tools are able to scrape sensitive information from the converted files, including passwords, cryptocurrency seeds, email addresses, banking information, and Social Security numbers. Any file uploaded to any online service risks a disclosure of sensitive information.
Traffic can be driven to these doctored or fake installers via links in emails, or malvertising and search engine poisoning. With malvertising and search engine poisoning, cybercriminals target key search terms, such as “free online file converter.” The URLs are made to appear legitimate, such as mimicking a genuine tool and transposing a couple of letters, using hyphenated domain names, or subdomains on an existing site. The site content often appears professional and can be difficult for web users to identify as malicious.
In addition to bundling malware with legitimate software, there are online versions of these tools. The user is instructed to upload the file they wish to convert, and the converted file is downloaded. There have been instances where the converted file is added to a zip file for download, but rather than the converted file, an executable file is delivered, such as a .js file. Attempting to open the file triggers the installation of malware such as a remote access trojan, keylogger, banking trojan, or malware downloader. The popular malware download Gootloader has been observed being delivered this way. A Gootloader infection often leads to the delivery of a variety of malware payloads such as banking trojans, information stealers, and post-exploitation tools such as Cobalt Strike beacons.
Due to the increasing use of these tactics, it is important to incorporate them into your security awareness training programs to make users aware of the risks of using free file conversion tools. Before any such tool is used, it is important to conduct research to make sure the tool provider is genuine, and to scan any downloaded installer or converted file with antivirus software. Busy employees who need to quickly convert a file into a different format can easily fall victim to these scams.
In addition to raising awareness of the threat, businesses should consider restricting the types of files that can be downloaded from the Internet. This is easy with WebTitan, a powerful DNS-based web filter that prevents access to malicious websites and blocks unauthorized file downloads from the Internet. WebTitan can be configured to prevent certain employees (non-IT staff, for instance) from downloading executable file types, thereby neutralizing the threat. In addition to serving as an extra layer of protection against malware, WebTitan can also help to curb shadow IT – software installations unknown to the IT department. While these software installations may not contain any malware, they can easily introduce risks and vulnerabilities that can be exploited by hackers.
Give the TitanHQ team a call today to find out more about WebTitan and how it can improve security at your business, and for more information on the SafeTitan security awareness training and phishing simulation platform. TitanHQ also offers antispam software and a Microsoft 365 anti-phishing solution for blocking phishing threats. In recent independent tests, the engine that powers these two solutions achieved top spot for malware, phishing, and spam blocking out of all tested solutions with a perfect 100% block rate in each category and a 0.0% false positive rate.