The cybersecurity world is abuzz with the emergence of a new multi-functional malware called Byakugan, which is being distributed through fake installers for Adobe Acrobat Reader. The attack begins with a deceptive PDF file in Portuguese that prompts the victim to download the Reader application to view the content. Once the victim clicks on the link, an installer named “Reader_Install_Setup.exe” is activated, initiating the infection sequence.
Byakugan utilizes sophisticated techniques like DLL hijacking and Windows User Access Control (UAC) bypass to load a malicious DLL file, leading to the deployment of the final payload. This malware is equipped to gather system metadata, capture screenshots, log keystrokes, download cryptocurrency miners, and extract data from web browsers. Security researcher Pei Han Liao notes that Byakugan is a node.js-based malware packed into its executable.
The discovery of Byakugan comes in the wake of revelations about a campaign spreading the Rhadamanthys information stealer disguised as a groupware installer and the use of a manipulated version of Notepad++ to distribute the WikiLoader malware. These incidents underscore the growing trend of threat actors incorporating both clean and malicious components in malware to evade detection.
As cybersecurity experts continue to unravel the complexities of Byakugan and other emerging threats, vigilance in safeguarding systems and data against malicious actors becomes paramount. Stay tuned for more updates on this evolving landscape of cyber threats.