Full Report
A novel phishing campaign identified by Zimperium targets mobile users with malicious PDFs, impersonating USPS to steal credentials
Analysis Summary
# Tool/Technique: Malicious PDF Delivery via Mobile Phishing Campaign
## Overview
A newly identified phishing campaign targeting mobile users that leverages social engineering and a novel obfuscated technique within Portable Document Format (PDF) files to trick users into clicking links, leading to credential harvesting via fake delivery notification websites impersonating the USPS.
## Technical Details
- Type: Technique (Social Engineering/File Delivery combined with Obfuscation)
- Platform: Mobile devices (Implied due to SMS delivery and targeting of mobile viewers like Chrome and macOS Preview)
- Capabilities: SMS delivery of malicious payloads, complex PDF structure manipulation for hyperlink delivery, credential harvesting.
- First Seen: January 27, 2025 (Date of article publication)
## MITRE ATT&CK Mapping
This campaign primarily focuses on initial access and collection:
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Via SMS/PDF)
- T1560 - Archive Collected Data
- T1560.001 - Archive via Utility (Implicit delivery mechanism payload)
- TA0009 - Collection
- T1005 - Data from Local System (If the ultimate goal is to steal local credentials/data after redirection)
## Functionality
### Core Capabilities
- **Delivery via SMS:** Distributing malicious PDF files directly to mobile users through text messages.
- **Impersonation:** Posing as the United States Postal Service (USPS) to leverage user trust regarding package deliveries.
- **Credential Harvesting:** Redirecting users to fake websites designed to illicitly collect personal details and credentials.
### Advanced Features
- **Novel PDF Obfuscation:** Embedding clickable links (simulated "Click Update" buttons) within the PDF structure without using the standard `/URI` tag. This is achieved by inserting an `XObject` into the written URL, making the link appear as a button and evading simpler static analysis within some PDF viewers (e.g., Chrome, macOS Preview).
- **Encrypted Data Transmission:** Sensitive information harvested from the phishing page is encrypted before transmission to the Command and Control (C2) server.
## Indicators of Compromise
- File Hashes: [Not specified in the text]
- File Names: [Not specified beyond "malicious PDF files"]
- Registry Keys: [Not applicable/Not specified]
- Network Indicators: C2 servers used to receive encrypted personal details (C2 infrastructure not detailed/defanged).
- Behavioral Indicators: SMS delivery of PDF files; User interaction triggering redirection via embedded PDF object clicks; Collection prompts on landing pages mimicking USPS delivery issues.
## Associated Threat Actors
- [Not explicitly named, but described as operating a large-scale operation impacting over 50 countries.]
## Detection Methods
- Signature-based detection: (Inferred, concerning known PDF signatures, though the new obfuscation complicates this).
- Behavioral detection: Monitoring for unusual PDF rendering behavior, especially linked to embedded XObjects or unexpected navigation prompts. Mobile Threat Defense (MTD) for on-device scanning of message content.
- YARA rules: (Not specified)
## Mitigation Strategies
- **Employee Education:** Training users to verify sender details, avoid clicking suspicious links, and independently confirm shipping information via official channels (USPS website/app) rather than clicking links in messages.
- **Layered Security:** Implementing robust mobile threat defense mechanisms, especially on-device scanning.
- **Authentication:** Implementing Multi-Factor Authentication (MFA) to prevent unauthorized access even if credentials are stolen.
- **Zero Trust:** Utilizing Zero-Trust frameworks alongside Privileged Access Management (PAM) to restrict system access.
## Related Tools/Techniques
- **AppLite Malware:** (Related via context as another mobile threat)
- **FakeCall Malware:** (Related via context as another mobile threat)
- General Phishing campaigns targeting mobile devices (82% statistic highlights this trend).