New Adobe Scam Unleashes Byakugan Malware

Cybersecurity experts are alerting to a new wave of attacks targeting Portuguese-speaking countries using fake Adobe Reader installers to disseminate a multifunctional malware known as Byakugan.

The attack commences with a PDF file that, upon opening, displays a blurred image and prompts the victim to download an external application to view its content.

According to researchers from Fortinet, clicking on the prompt initiates the download of an installer, triggering the infection process. This campaign was first reported by the cyber intelligence center ASEC last month.

The attack technique involves methods such as DLL Hijacking and bypassing Windows User Account Control (UAC) to download a malicious DLL file, which then activates the primary malicious code. The process also involves the legitimate installer of the PDF reader Wondershare PDFelement.

The binary file is capable of collecting system metadata and transmitting it to a control server, as well as downloading the main module “chrome.exe,” which also serves as a control server for receiving files and commands.

Byakugan is based on node.js and includes several libraries responsible for various functions: establishing persistence in the system, monitoring the user’s desktop with OBS Studio, capturing screenshots, downloading cryptocurrency miners, logging keystrokes, inventorying and uploading files, and stealing data stored in web browsers.

Upon analyzing the malware’s connections, researchers were able to access the Byakugan web control panel, greeted by an authorization screen. In the corner of the open tab, a ninja icon with white eyes can be seen, a clear reference to the anime “Naruto,” from which the malware’s name is also derived.

Fortinet notes a growing trend of using fully legitimate components in ransomware, complicating the process of threat analysis and detection.

A similar threat involving a fake installer was reported just today: the U.S. oil and gas corporate sector faced phishing attacks containing a notification about a car accident in which the victim, or rather their car, was supposedly involved. In the downloaded PDF file, hackers similarly use background blur and a fake notification mimicking Adobe Reader to compel the user to click a link and self-install the Rhadamanthys malware, which collects data from the infected system.