The Turla threat group, certainly Russian-speaking and widely attributed to Russian intelligence services is back with a new scary phishing technique. These bad guys are sending emails with a malicious PDF payload that installs a hidden backdoor in the workstation.

The backdoor is a standalone dynamic link library that’s able to install itself and interact with Outlook and other email clients. It exfiltrates data through email, which means that it evades detection by many commonly used data loss prevention products. The stolen data is enclosed in a PDF container, which also looks unproblematic to many security solutions.

As the ESET researchers who’ve tracked this latest evolution of Turla warned, there’s no command-and-control server that can be taken down – the malware can be completely controlled via email, the data exfiltration can look entirely legitimate, and the ways in which the campaign modifies standard functions make it a stealthy and tough-to-eradicate infection.

The purpose of this malware is monitor to all incoming and outgoing emails from infected systems and to gather info about the sender, recipient, subject, and attachment name (if any). That data is then organized into logs that are sent to Turla operators.

The Outlook backdoor also checks all incoming email for PDFs that might contain commands from the attackers. It will accept commands from ANY threat actor that is able to encode them in the right format in a PDF document.

If the email address to which the malware typically transmits stolen data is blocked, the hacker can recover control of the backdoor simply by sending a rogue PDF with a new command and control IP address.

This is really a nightmare you don’t want to wake up to. Just another reason to NEVER click on attachments in emails – now especially PDF’s. According to the FBI. The best way to defend against these attacks is to use face-to-face or voice-to-voice communications

If you’re unsure the sender would send you a PDF, take the extra step to pick up the phone and verify that the email is legitimate.