Dangerous Online File Converters Spotted Spreading Malware

Credited by Freepik

VTA-004509 – Dangerous Online File Converters Spotted Spreading Malware

The FBI has issued a warning regarding fraudulent online document converter tools being used by cybercriminals to steal sensitive information and deploy malware, including ransomware.
These fake websites, often mimicking legitimate URLs and promoted through deceptive advertising, trick users into uploading files for conversion or downloading supposedly converted documents. However, these files may contain hidden malware that grants remote access to devices or scrapes uploaded data for personal details like social security numbers, banking information, and cryptocurrency seeds. Cybersecurity researchers have confirmed the existence of such malicious sites, which distribute malware like Gootloader, leading to further network breaches and potential ransomware attacks. Users are advised to exercise caution when using online file conversion tools, thoroughly research websites before use, and avoid unknown or suspicious sites altogether. Analyzing downloaded files for executables or JavaScript is crucial to identify potential malware.

Severity:
Medium

Attack Surface:
Remote Access Service, Web Application, Web Browser

Tactics:
Defense Evasion, Execution, Privilege Escalation

Techniques:
T1204.002 – Malicious File 
T1055 – Process Injection
T1027  – Obfuscated Files or Information 
T1140 – Deobfuscate/Decode Files or Information

Indicator of Compromise:
1. https://otx.alienvault.com/pulse/67e2453ba0e880de49ddf6c1

References:
1. https://www.fbi.gov/contact-us/field-offices/denver/news/fbi-denver-warns-of-online-file-converter-scam

SuperPRO’s Threat Countermeasures Procedures:
1. Actively monitor threat intelligence feeds and dark web forums for indicators of compromise (IOCs) related to these fake converter sites, including domain names, file hashes, IP addresses, and associated malware families.
2. Review network traffic logs for connections to suspicious domains, unexpected outbound traffic patterns, and downloads of executable or JavaScript files from untrusted sources.
3. Create EDR rules to detect and block the execution of known malicious file hashes related to fake document converters.
4. Analyze web proxy and DNS logs to identify users who may have accessed malicious file conversion websites.
5. Issue an internal security advisory warning employees about the risks of free online document converters and aware of phishing and social engineering attacks that could lead them to these malicious sites.

Contributed by: Syaff