Backdoor targeting corporate data through… Microsoft Publisher files?

Wait, what?

David bisson
David Bisson
@

Backdoor targeting corporate data through... Microsoft Publisher files?

You heard me right! Malicious hackers are abusing Microsoft Publisher files to try to infect businesses with a backdoor and steal their corporate data.

Bitdefender’s researchers have come across spam emails purporting to originate from employees who work at small- to mid-size companies in China, the United Kingdom, and elsewhere.

These emails all have one thing in common: an attached Microsoft Publisher file masquerading as a purchase order or invoice.

Sign up to our free newsletter.
Security news, advice, and tips.

Pubspam4 610x391

In this day and age, it’s no surprise the file isn’t what it claims to be. As Bitdefender’s researchers explain:

“The .pub file contains a script (VBScript) that embeds a URL acting as a remote host. From this location, the malware downloads a self-extracting cabinet file containing an AutoIt script, a tool to run the script and an AES-256 encrypted file. The cyphered file can be decrypted using a key derived from the MD5 of a text written in the AutoIt file….”

Deobfuscated script

After attackers have decrypted the file, it’s game over. They have full backdoor access to the infected machine at that point, which means they can log keystrokes, steal login credentials, and make off with sensitive business data.

Decrypted script

To be clear, this backdoor – which Bitdefender believes hails from either Saudi Arabia or the Czech Republic – isn’t the first time bad guys have incorporated Microsoft Office documents into spam campaigns. Suspicious Word and PowerPoint documents, for instance, have delivered ransomware and other malicious attacks for many years.

But malicious Microsoft Publisher files? That’s something Adrian Miron of Bitdefender, has rarely seen:

“.Pub is not your typical file format to host malware. Spammers have chosen it because people don’t usually associate this type of file with the possibility of infection.”

To avoid a malware infection at the hands of this spam and other campaigns like it, users should maintain an updated anti-virus solution on their computers and should always exercise caution around suspicious links and email attachments.

Also, there’s no reason for a legitimate company to send you an invoice via Publisher, a publishing and layout software app. Receiving any type of .pub file that claims to be an invoice should immediately raise a red flag.


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.