Disguised Adobe Reader Installer That Install Infostealer Malware

An infostealer disguised as the Adobe Reader installation has been observed. The file is disseminated in PDF format and prompts users to download and run it.

The fake PDF file, according to AhnLab Security Intelligence Center (ASEC), is written in Portuguese and instructs users to download and install Adobe Reader. 

It urges users to download and install malware by informing them that Adobe Reader is needed to open the file.

The Flow Of The Attack

Researchers say the message prompts users to install and download Adobe Reader.

When users click the gray area as seen below, malware is downloaded, and they are redirected to the following message, hxxps://raw.githubusercontent[.]com/fefifojs/reader/main/Reader_Install_Setup.exe

Fake PDF File

“The downloaded file takes the form of the Adobe Reader icon, and its name is set as Reader_Install_Setup.exe.

By taking the disguise of the Adobe Reader installer, it prompts the user to run it”, ASEC researchers shared with Cyber Security News.


The downloaded file’s execution procedure has three stages: file creation, DLL Hijacking & UAC Bypass, and Information Leak.

Attack Phases

Following the file creation phase, Reader_Install_Setup.exe uses the following command to launch msdt.exe, a Windows system file, and produces two malicious files.

“C:\Windows\SysWOW64\msdt.exe” -path “C:\WINDOWS\diagnotics\index\BluetoothDiagnostic.xml” -skip yes

Running sdiagnhost.exe as administrator is the function of the msdt.exe process that is now running.

Therefore, when the sdiagnhost.exe process loads BluetoothDiagnosticUtil.dll, the malicious DLL file is loaded.

Following the above process, the threat actor can bypass user account control (UAC) by using DLL hijacking.

During the information leak phase, it generates files, including chrome.exe, and conceals them in the generated path.

Chrome.exe collects system and browser information and sends it to the C2 server.

The created chrome.exe is a malicious file associated with the actual Google Chrome browser, and it impersonates the actual browser executable file by using the same icon.

Consequently, users who acquire files from unauthorized sources should exercise extreme caution when dealing with files that ask them to run malware.

With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Leave a Reply

Your email address will not be published. Required fields are marked *