Full Report
As part of our ongoing mission to identify emerging threats to mobile security, our zLabs team has been actively tracking a phishing campaign impersonating the United States Postal Service (USPS) which is exclusively targeting mobile devices. The post Hidden in Plain Sight: PDF Mishing Attack appeared first on Zimperium.
Analysis Summary
# Tool/Technique: Malicious PDF Documents in USPS Mishing Campaign
## Overview
This describes a specific phishing campaign impersonating the United States Postal Service (USPS) that exclusively targets mobile devices using SMS delivery (mishing) and malicious Portable Document Format (PDF) files to steal credentials and compromise sensitive data. The PDFs employ a novel and complex obfuscation technique targeting hidden clickable elements to bypass traditional endpoint security solutions.
## Technical Details
- Type: Malware Vector / Technique (Leveraging PDF format)
- Platform: Mobile Devices (Primary Target)
- Capabilities: Delivering malicious links (via obfuscated means), credential theft, data exfiltration, leveraging user trust in the PDF format.
- First Seen: January 2025 (based on article date)
## MITRE ATT&CK Mapping
The primary focus is on initial access and execution via a trusted file type.
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.003 - Phishing: SMS Phishing (Smishing)
- **TA0002 - Execution**
- T1204 - User Execution
- T1204.002 - User Execution: Malicious File
## Functionality
### Core Capabilities
- **Social Engineering:** Impersonates USPS via SMS messages (mishing) to gain recipient trust.
- **File Delivery:** Delivers malicious content encapsulated within PDF documents.
- **Credential Theft:** Aims to redirect users to fraudulent websites designed to harvest sensitive information.
### Advanced Features
- **Innovative Evasion Technique:** Employs an "unconventional technique to embed the malicious link," which makes it difficult for endpoint security solutions to analyze and detect the hidden clickable elements within the PDF structure.
- **Multilingual Support:** The eventual landing pages (phishing kit) showed multilingual support, suggesting a broad targeting scope.
- **Encrypted Communication:** Communication involving the file delivery or subsequent payloads utilized the Rabbit stream cipher with separate keys for encryption and decryption ("magicCat-request" and "magicCat-response").
## Indicators of Compromise
*Note: Specific hard IOCs (hashes, IPs, domains) were not listed in the provided text block, only a reference to a separate location.*
- File Hashes: [Not provided in summary text]
- File Names: [Implied generic or USPS-themed filenames delivered in SMS]
- Registry Keys: [Not applicable/mentioned]
- Network Indicators: [Encrypted communication via Rabbit stream cipher; Phishing kit infrastructure supporting 50+ countries]
- Behavioral Indicators: Embedding hidden, clickable elements in a PDF structure to bypass security scanning; successful redirection to credential-harvesting websites following PDF interaction.
## Associated Threat Actors
- Unspecified actors running a large-scale operation (630 phishing pages tracked).
- Indicators suggest the use of a sophisticated **Phishing Kit** due to multilingual support and complex infrastructure.
## Detection Methods
- **Signature-based detection:** Largely bypassed by the sophisticated obfuscation technique.
- **Behavioral detection:** Advanced MTD solutions like Zimperium utilize on-device AI to scan the PDF structure and link behavior in real-time, even offline.
- **YARA rules:** [Not specified]
## Mitigation Strategies
- Deployment of Mobile Threat Defense (MTD) solutions with on-device scanning capabilities to analyze file contents before execution.
- User education regarding the inherent risk of opening unsolicited attachments (even trusted formats like PDF) received via SMS.
- Thorough endpoint scanning capable of analyzing complex file structures, especially for hidden interactive elements.
## Related Tools/Techniques
- Smishing campaigns.
- Exploitation of PDF structure (e.g., embedded JavaScript, forms, or actions).
- Use of stream ciphers for payload protection (Rabbit cipher noted here).