Hundreds of thousands of emails are delivering weaponized PDFs containing malicious SettingContent-ms files.
A widespread spam campaign from the well-known financial criminal group TA505 is spreading the FlawedAmmyy RAT using a brand-new vector: Weaponized PDFs containing malicious SettingContent-ms files.
The SettingContent-ms file format was introduced in Windows 10; it allows a user to create “shortcuts” to various Windows 10 setting pages.
“All this file does is open the Control Panel for the user [control.exe],” explained SpecterOps researchers in a recent posting on the format. “The interesting aspect of this file is the <DeepLink> element in the schema. This element takes any binary with parameters and executes it. What happens if we simply substitute ‘control.exe’ to something [malicious]?”
The answer to that question is that the substituted script, when opened, executes any command automatically, including cmd.exe and PowerShell, with no prompt to the user – making the format a perfect conduit for malware.
This approach code also flies under the radar, and the maliciously crafted files simply bypass certain Windows 10 defenses such as Attack Surface Reduction (ASR) and detection of OLE-embedded dangerous file formats.
